Jump to content

Maurice Naggar

Experts
  • Posts

    27,536
  • Joined

  • Days Won

    74

Community Answers

  1. Maurice Naggar's post in "Website Blocked Due to Riskware" Notifications Every Minute but No Malware was marked as the answer   
    Thank you for that.  I have one last custom fix script here.
    our Downloads folder is C:\Users\arthu\Downloads
    We will use FRSTENGLISH.exe   to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  Ay000  only / for this machine only.
     
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This scripts main goal is to remove one scheduled task that uses a odd & suspicious script & to remove a few suspicious zero-byte files.
      Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.  
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those. Please save the (attached file named) FIXLIST.txt   to the   Downloads folder Fixlist.txt
     
    Then, Start the Windows Explorer and then, go  to the Downloads   folder.

    RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......                click line More info information on that screen
                   and click button Run anyway on next screen.
    on the FRST window: Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your reply.
  2. Maurice Naggar's post in Riskware.BitcoinMiner is coming back over and over. was marked as the answer   
    Adding a note related to a very out of date program.    Java 8 Update 281  is a old release from Oracle & poses a potential security risk exposure.  Please take time to Uninstall it.
    Your Windows system really does not need it.  But if you do have some added application that really truly needs Java, then in that case, you can get the very latest release. See this how to link https://securitygarden.blogspot.com/2021/07/oracle-java-se-security-update-released.html
    Orcale release security updates on a quarterly basis.  Out of date Java is one potential vector for bad actors to facilitate a malware infection to get in.
    Take care of this at your next opportunity.
    .
    As to the main issue at hand.  Note that Microsoft Defender antivirus flagged C:\Users\kadew\AppData\Local\Discord\app-1.0.9002\ErrorReport.exe   several times on the 21st.
    Category: Potentially Unwanted Software
    Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
    For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=PUA:Win32/CoinMiner&threatid=227033&enterprise=0
    Name: PUA:Win32/CoinMiner
    .
    ANOTHER file is flagged by MS Defender as a severe threat.   Look for this file   C:\Users\kadew\Downloads\Kiwi V2 - Linkvertise Downloader_v-J6r31.exe
    If still around, then Delete it. 
    Severity: Severe
    Category: Trojan
    Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
    For more information please see the following:
    https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Spursint.F!cl&threatid=2147717281&enterprise=0
    Name: Trojan:Win32/Spursint.F!cl
     
  3. Maurice Naggar's post in May be infected? was marked as the answer   
    Your system is good to go.
    The Malwarebytes scan was good.  I had you run Adwcleaner + 3 separate virus scans, plus a custom script fix.  You have installed the Malwarebytes Browser guards.
    We can proceed with cleanup of tools we used.
    To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to
    UNINSTALL.exe .
    Then run that ( double click on it) to begin the cleanup process.
    You may delete msert.exe
    Delete esetonlinescanner.exe
    Any other download file I had you download, you may delete. I wish you all the best. Stay safe.
    Sincerely.
    Maurice
  4. Maurice Naggar's post in Everytime i open any browser malwarebytes comes with trojan was marked as the answer   
    Hello Dmitry.   😀  Nice to meet you.   Thanks for the report file.
    Here below is a custom run intended to do some cleanups.  Please take time to read carefully & apply all directions below.
    If you have a question, stop and ask me first.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    Your Downloads folder is C:\Users\olegr\Downloads
    We will use FRSTENGLISH.exe   to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  human2402  only / for this machine only.
     
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. 
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    NOTE 3:  Each of Chrome browser, Edge browser, & Firefox browser is set to restore the previous session. In a situation like this, of repeating block events, it is not a good practice. The auto-restore will be turned off.
      Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.  
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those. Please save the (attached file named) FIXLIST.txt   to the   Downloads folder Fixlist.txt
     
    Then, Start the Windows Explorer and then, go  to the Downloads   folder.

    RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......                click line More info information on that screen
                   and click button Run anyway on next screen.
    on the FRST window: Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   
  5. Maurice Naggar's post in Attention Maurice was marked as the answer   
    Thanks for the log-report.  Let us give the following one try.
    Start a Elevated Powershell command prompt-window. On the Windows taskbar, on the Search box, type in 
    powershell Wait and look for the results list. Click on the line that shows Powershell with "Run as Administrator".
     
    2   Then you will see the Powershell window. Into that, we want to Copy & Paste this entire lines AS-IS 
    Restart-Service -Name "cbdhsvc*" -force then tap the Enter-key and wait and watch the result.
     
    3    When it has displayed a blue screen with information on result , when done, then use the mouse pointer and do a RIGHT-Click on the top title bar of Powershell window.
    .
    4    Select "Select all"
    Next then 
    .
    5    Select COPY
    Next, on this forum topic, in a new Reply, Right click the white reply box 
    .
    6    
    And select PASTE onto a Reply box-window here.   Close the Powershell window.
    Providing the above ran properly, the clipboard history should be clear.
  6. Maurice Naggar's post in mpengine.dll was marked as the answer   
    Thanks for the results from the Microsoft Safety Scanner.  It found NO infection / no virus !  It is a clean good result.   The intermediate displays on-screen must be ignored.  They are not actual problems.  The intermnediate displays of the Safety Scanner during the scan can be mis-leading.  All that counts is the bottom line result.   ( other people have seen similar & also got mis-impression).
     By the way, about what you "saw" on intermediate displays of the Microsoft Safety Scanner  ( your remarks above),  I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html
    .
    You reported 
    It is very re-assuring that Malwarebytes for Windows reports no malware infection.  That is another confirmation that this machine is not infected.
    It is unfortunate ( but not fatal ) that this pc could not accomplish the manual definitions ( signatures) update for Microsoft Defender.  BUT it is critical to keep in mind that this pc has has AVAST Antivirus. That being the case, Micriosoft Defender is supposed to be turned off and not active.  Avast is the antivirus.
    I assume you are sticking with Avast.
    I do not see a infection here.  My view is that we can plan to wrap up this case.
  7. Maurice Naggar's post in Adware.Agent.SFP.Generic / SOUNDFLOWPICKER.EXE was marked as the answer   
    Thank you for the report.
    I have read the report.  It looks as if the run went over 60 minutes in run time and so was then ended because it exceeded the time limit.
    We need to run the remaining parts of the task.   This run will be started in the same way.  Except for the new script, attached below.
    First delete the old file named Fixlist.txt  on the DESKTOP 
     
    We will use FRST64.exe  on Desktop folder to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  TatianaBio21  only / for this machine only.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.  
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those. Please save the (attached file named) FIXLIST.txt   to the   user Desktop  folder Fixlist.txt

    Start the Windows Explorer and then, to the Desktop   folder.

    RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......                click line More info information on that screen
                   and click button Run anyway on next screen.
    on the FRST window: Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    We will do more after this.  Persistence & patience are called for here.
    Stick with me because there will be more for later.
  8. Maurice Naggar's post in HGDC84 Muzapp.exe +Malware.Exploit.Agent.Generic was marked as the answer   
    That is good.  Thank you.
    Now do a new scan with Malwarebytes for Windows.   Advise me of the result.
    Locate the Scan run report;  export out a copy;  & then attach in with your  reply.
    See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4
  9. Maurice Naggar's post in Muzapp.exe downloaded as by magic and detected by Malwarebytes was marked as the answer   
    We will need to run (later on) a on-demand report.  The report set that was uploaded did not have the complete expected set.
    The first step I suggest to be done is a Update run for Malwarebytes for Windows.
    Start Malwarebytes for Windows.
    Click Settings. In the General tab,    click on "Check for Updates " button.    Watch & follow all prompts. 
    Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 
    "Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .
     
    Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.
     
    When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
    >>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

     
    Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark
     
    Then click on Quarantine  button.

     

    Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
    See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4
  10. Maurice Naggar's post in failed Malwarebytes install solved + Trickbot Gootkit was marked as the answer   
    I did get the file.  You did OK.  Now, we have to do one more run just like the last one.  Please take your time  and do NOT rush.  Go Careful.   
    we have to do a new Fix run.  First you need to Delete the old file I had you saved named Fixlist.txt
    Delete the old one named FIXLIST.txt.    I have a new one below.
    .
    Sla het (bijgevoegde bestand met de naam) FIXLIST.txt op in de map Downloads van de gebruiker
    Fixlist.txt
     
    Start de Windows Verkenner en vervolgens naar de map Downloads.

    Klik met de rechtermuisknop op FRSTENGLISH.exe en selecteer UITVOEREN als beheerder en laat het doorgaan. Antwoord JA wanneer u wordt gevraagd om toestemming te geven voor uitvoering.
       om het hulpprogramma uit te voeren. Als de tool u waarschuwt dat de versie verouderd is, download en voer dan de bijgewerkte versie uit.
    ALS Windows u vraagt om dit uit te voeren, selecteert u JA om door te gaan.
    ALS u een blokkeringsbericht van Windows krijgt over deze tool......
                    klik lijn Meer info informatie op dat scherm
                    en klik op de knop Toch uitvoeren op het volgende scherm.
    in het FRSTENGLISH:
    Klik één keer op de knop Herstellen en wacht.
     
     

     
    Voeg de FIXLOG.txt bij uw volgende antwoord later, bij uw volgende gelegenheid
    We still need to do more.
  11. Maurice Naggar's post in Trojan on chrome.exe always come back was marked as the answer   
    Hello @TheChris76
    This topic is only for you.   Any advice or suggestions or custom fixes are not intended for anyone else.
    My name is Maurice. I will be helping and guiding you, going forward on this case.
    Let me know what first name you prefer to go by.
    Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.
    There are 2 suspicious shortcut links for Chrome.  One is on the Desktop.  The other is under c:\users\<user>\appdata
    Also, the Search preference for Chrome seems to be live (dot)  kuaishou (dot) com
    They will be removed because they have unprintable / unrecognized characters in their names + in addition, they refer to chrome-proxy/
     
    You will be able to start Chrome from the Windows menu.
    It is not the case that this machine has an infection.  It is just one specific site that is being stopped.
    .
    Set the Windows 10 to show all hidden folders.   Use the Option Two as in this article at Tenforums
    https://www.tenforums.com/tutorials/9168-show-hidden-files-folders-drives-windows-10-a.html
    .
    It seems to me that you have saved the tool named FRST64   on the folder  on drive J        J:\04 logiciels\adwcleaner 07-08-2020
    That is important information to remember.
     
    The system will be rebooted after the script has run.
    .
    This custom script is for  TheChris76  only / for this    machine only.
     
    Close and save any open work files before starting this procedure.    This will do a Windows Restart.
    I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.
    Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  J:\04 logiciels\adwcleaner 07-08-2020  folder
    The tool named FRST64 .exe   tool    is already on that folder
    Start the Windows Explorer and then, to the that folder.

    RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......
    click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window:
    Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.  
     
     
    Fixlist.txt
  12. Maurice Naggar's post in I cant get rid of csrss was marked as the answer   
    Thanks. Very worthwhile run.  It found several  potentially unwanted application  ( PUA ) including a few coinminers.
    Earlier, I believe you mentioned a attempt to install Malwarebytes for Windows ran into some hitch.   Lets try to do a new install of Malwarebytes for Windows.   After that is done, then do a scan.
    [    A   ]
    I'd suggest you save the download to the Desktop for ease of access.   Otherwise, save the file to Downloads folder.
    1. Download the offline installer from : https://downloads.malwarebytes.com/file/mb4_offline
    2. Now, go to the folder location where saved.     Right-click on the exe and select Run as Administrator and allow it to go forward.
    [    B    ]
    In Malwarebytes for Windows program, we want to do a special scan.
     Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.  Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 
    "Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.
     
    When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
    >>>>>>      👉      You can actually click the topmost left  check-box  on the very top lin
    e to get ALL lines  ticked   ( all selected).         <<<<     💢

     
    Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark
     
    Then click on Quarantine  button.

     
    Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
    See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4
     
  13. Maurice Naggar's post in Re-install Malwarebytes for Windows was marked as the answer   
    Because this pc does have installed "BITDEFENDER" & because BitDefender does not like to have competitive security programs installed, we need to temporarily turn Off the BitDefender.
    For a temporary BitDefender shutdown, you'll first need to open BitDefender by double-clicking on the icon. Then follow the below steps.
    Open the Protection window.
    Choose Settings under Antivirus.
    Choose the Shield tab, then click on the switch next to BitDefender Shield to turn it off.
    When prompted, choose " Until System Restart "  then OK. This will disable BitDefender until the next time Windows is restarted.
    [    2    ]
    Now we can proceed to do a new install of Malwarebytes for Windows version 4.4.5.x   ( the current release version).
    I'd suggest you save the download to the Desktop for ease of access.   Otherwise, save the file to Downloads folder.
    1. Download the offline installer from : https://downloads.malwarebytes.com/file/mb4_offline
    2. Now, go to the folder location where saved.     Right-click on the exe and select Run as Administrator and allow it to go forward.
    3. After the Malwarebytes for Windows is done with the setup.
    Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
    Click the Security Tab. Scroll down to 
    "Windows Security Center"
    Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
    all the way to the Left for Off setting.
    You may then click the small x  on the mini-window in foreground.
    Returns you to the main window of Malwarebytes.
    At that point, you can click the Scan now button to begin a Scan.
    Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
    See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4
    Close Malwarebytes when done.
    By the way, the main page at Malwarebytes Support site for Malwarebytes for Windows is  https://support.malwarebytes.com/hc/en-us/categories/360002458014-Malwarebytes-for-Windows
  14. Maurice Naggar's post in SpyProtector was marked as the answer   
    Hi Mike.
    Please do not be using other apps or web browsers during these next steps. Only use web browser for purpose to get to this forum.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRST64.exe  on Desktop folder to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  Mike  only / for this machine only.
     
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. I
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder   
    Fixlist.txt
     

    Start the Windows Explorer and then, to the Downloads   folder.

    RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......                click line More info information on that screen
                   and click button Run anyway on next screen.
    on the FRST window: Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.
    Cheers.
  15. Maurice Naggar's post in I have several allowed threats on windows defender wich i cannot remove. was marked as the answer   
    Hello.
    I do believe that this pc now does not have malware.
    Can't be sure how this pc's Microsoft Defender got these folder exclusions. But Trickbot & Gootkit malware use tricks to set exclusions for Microsoft Defender,  { See more info about Trickbot here https://www.malwarebytes.com/trickbot  ).
    You can read about Gootkit here  { just ignore all ads on page ) https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/  
    My view is that the issue-at-hand was not done by a outside person or some 3rd party device. It likely was done by some drive-by visit to some site or more likely a download. It is also possible that a visited site simply was compromised & then when visited, started the infection chain.
    Another possibility could have been a mistaken click to "allow" in lieu of "quarantine or remove" when prompted by Microsoft Defender.
    Since Malwarebytes Premium has multiple real-time protections, including against trojans like Trickbot, I would recommend that you have the Premium license for Malwarebytes so that all pc's & devices are covered.
    As to making your system more secure, there is a bunch of suggestions at this post 
    https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/?tab=comments#comment-1372004
     
    Securing each web browser ( as appropriate) with Malwabytes Browser Guard is recommended.
    Personal practices with the keyboard and the mouse  ( like slowing way down on clicking spots on a web page) are one huge area for safety.
    In other words, not to be super quick to "click" with finger on mouse.
    Not using "torrents" to get or share free stuff is another best practice.
    I need to make a repeat mention that this pc ought to only have one antivirus ON.  Either Avira or else if settled on MS Defender, then Avira needs to be uninstalled.
    This pc case is only one of a handful that had issues with Defender of all cases I ever dealt with that was so so stubborn.  The anamolies here are still a mystery. It could perhaps be some access rights to a registry key,  maybe. Throughout our series of custom scripts I have applied methods to cleanup that should have worked. We even attempted methods to clear histroy.
    I believe it would help to make use of a tool that we had not used before .... to do some special searches.
    We need to search for a few things with SystemLook: 
    Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop 
    Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. 
    If prompted by Windows  UAC, please allow it  to run.
    If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.COPY & paste the entire text into the main text box of SystemLook: 
      
     
    :regfind C:\Program Files (x86)\BtUXQOcJWkhU2 C:\Program Files (x86)\EcMqiFgQU C:\Program Files (x86)\fwXJmBAXTzRbjJWsEfR C:\Program Files (x86)\hAZlnEiYytGiC 2147735503 2147735735 :filefind BtUXQOcJWkhU2 EcMqiFgQU fwXJmBAXTzRbjJWsEfR hAZlnEiYytGiC :folderfind C:\Program Files (x86)\BtUXQOcJWkhU2 C:\Program Files (x86)\EcMqiFgQU C:\Program Files (x86)\fwXJmBAXTzRbjJWsEfR C:\Program Files (x86)\hAZlnEiYytGiC  
    Click the Look button to start the scan 
    When finished, a notepad window will open with the results of the scan. 
    A file will be created (on the same folder where you saved SystemLook with the results of the scan, named SystemLook.txt
    Please attach  this log in your next reply. 
  16. Maurice Naggar's post in Bitcoin.Trojan.Miner.DDS please help was marked as the answer   
    Hello @JagenN
    Here below is a custom run intended to quash the rogue bitminer.  Please take time to read carefully & apply all directions below.
    If you have a question, stop and ask me first.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRST64.exe  on Desktop folder to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  JagenN  only / for this machine only.
     
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. 
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the   user Desktop  folder   
    Fixlist.txt
     

    Start the Windows Explorer and then, to the Desktop   folder.

    RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool...... click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window: Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.
    After this task has been run, Please do one new scab with Malwarebytes for Windows.  My expectation is that "Bitcoin.Trojan.Miner.DDS" will no longer be around.
    Cheers.
  17. Maurice Naggar's post in Disable Pop Up - Compromised Website was marked as the answer   
    Good morning.  Let me suggest that you insure to have the Malwarebytes for Windows version 4.4.4.126  with the component 1.0.1413
    That is a Beta made available last Friday and has a stronger protection against attempted exploitations of Remote Desktop feature.  Your pc will be more protected.
    I want to guide you to doing 2 update runs so that this pc has the latest version, and on the latest Beta version.
    Start Malwarebytes for Windows. Click on the Settings ( gear icon)
    Now click on the tab "General". 
    Then scroll up a bit. and then click on "Check for Updates " button.
     
    Watch & follow all prompts.
     
    That ought to do a check with the update server, and hopefully offer the newest component update.
    .
    Click Settings. In the General tab, scroll down to the Beta updates toggle. Click the Beta updates toggle. In the pop-up window, click Enable Beta Application Updates. scroll up a bit. and then click on "Check for Updates " button.   This is a second run to get that Beta.
    Watch & follow all prompts.   Hopefully this will get the program to Beta version 4.4.4.126  and component package 1.0.1404
    Keep me advised on that.   Close Malwarebytes when done.  This version has added protections.
    Let me know after this has been done.    Cheers.    
  18. Maurice Naggar's post in Help with Phorpiex. was marked as the answer   
    Thank you.  The result is perfect.  The Malwarebytes program has the latest program components.   Bravo !
    There is more cleanup work to be done here.  Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRSTEnglish.exe  on Downloads folderr to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  WENENU  only / for this machine only.
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will attempt to do a Quick scan with Microsoft Defender antivirus.
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   
     
    Fixlist.txt

    Start the Windows Explorer and then, to the Download   folder.

    RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......
    click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window:
    Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.
    Cheers.
     
  19. Maurice Naggar's post in Help with Phorpiex. was marked as the answer   
    Thank you.  The result is perfect.  The Malwarebytes program has the latest program components.   Bravo !
    There is more cleanup work to be done here.  Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRSTEnglish.exe  on Downloads folderr to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  WENENU  only / for this machine only.
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will attempt to do a Quick scan with Microsoft Defender antivirus.
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   
     
    Fixlist.txt

    Start the Windows Explorer and then, to the Download   folder.

    RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......
    click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window:
    Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.
    Cheers.
     
  20. Maurice Naggar's post in 4.4.4. scanner page is frozen was marked as the answer   
    There is a bit more to suggest.
    On the Security tab
    Under Scan options, click to the LEFT the line "Scan for rootkits"  so that it is off.  Otherwise with it on, it adds extra run time to each scan.
    Scrolling down to the line "Windows Secuiry Center"
    Click to the LEFT "Always register Malwarebytes in the Windows Security Center" so that it is off.  You will still have real-time protections of the program.
    scroll down.  On the section "Brute Force Protection"  click that to ON.  That protection is a big plus for overall protection from outside exploits.
    Cheers.
  21. Maurice Naggar's post in Malwarebytes Native Message Service using up all RAM was marked as the answer   
    This is for Jimmie only !
    Hello @Jimmie
    My name is Maurice. Porthos has advised me you need specific assistance.  This here is to help you remove one BitDefender driver that is still on your system.
    Please do not be using other apps or web browsers during this next procedure. Only use web browser for purpose to get to this forum.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRSTENGLISH.exe  on Downloads folderr to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  JIMMIE  only / for this machine only.
     
    This custom script is intended to remove 1 BitDefender driver.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. 
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   
     

     
    Start the Windows Explorer and then, to the Downloads   folder.

    RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool...... click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window: Click the Fix button just once, and wait.

     
    You will see a green progress bar start. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   
    After the system has restarted & Windows has settled back in, please advise as to the original issue.
    Cheers.
  22. Maurice Naggar's post in Another "system_init.bat" was marked as the answer   
    Hello Eduardo.   Thank you for the ESET online scanner report.
    NOTE:  The tool FRST64 is on the folder  D:\Descargas\Virus
    We will be using FRST64 to do a custom script run.
    There is more cleanup work to be done here.  Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.
    [    1    ]
    As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRSTE64.exe  on  D:\Descargas\Virus    folder to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  Edu4rdo  only / for this machine only.
    This custom script has some specific things, plus some general aspect to help the system overall.
    One major goal is to remove  a file  system_init.txt   from the Desktop.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will run the Windows DISM tool to check system.  It will rebuild the Winsock.  
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.
    Passwords that were saved already will not be affected.
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the  D:\Descargas\Virus   folder   
    Fixlist.txt

    Start the Windows Explorer and then, to the  D:\Descargas\Virus     folder.

    RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......
    click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window:
    Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.
    Cheers.
  23. Maurice Naggar's post in Trojan crypt XPACK gen7 was marked as the answer   
    My apologies.  Lets go a bit slower.  Look for "Avira registry cleaner" on this page link  
    It's listed near the middle of the list on that page.
  24. Maurice Naggar's post in What is this and why when i search it up it says task manager was marked as the answer   
    Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.
    [    1    ]
    As a next basic step, Please  make very very sure to  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
    https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html
    [    2    ]
    We will use FRSTEnglish.exe  on Downloads folderr to run a custom script.    The system will be rebooted after the script has run.
    This custom script is for  Materlife  only / for this machine only.
    This custom script has some specific things, plus some general aspect to help the system overall.
    NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will attempt to remove tasksysmaq.exe + C:\taskamaqmrkgew + C:\WINDOWS\TEMP\.NET\TASKSYSMAQ
    NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.
    The following directories are emptied:
    Windows Temp Users Temp folders Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.
    Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.
     
    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
    Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   
    Fixlist.txt

    Start the Windows Explorer and then, to the Download   folder.

    RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
      to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
    IF Windows prompts you about running this, select YES to allow it to proceed.
    IF you get a block message from Windows about this tool......
    click line More info information on that screen
    and click button Run anyway on next screen.
    on the FRST window:
    Click the Fix button just once, and wait.

     
    PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
    If you receive a message that a reboot is required, please make sure you allow it to restart normally.
    The tool will complete its run after restart.
    When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.
    Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

    Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.
  25. Maurice Naggar's post in Trojan SmokeLoader was marked as the answer   
    Those are contents on this machine's Windows HOSTS file.  Cannot tell how the entries got there, except to guess that in one way or another it would involve a visit to a website and accepting a download.
    In any event,  the custom script below will reset the HOSTS file to the normal one.
    Please first Delete the old file named Fixlist.txt  on the Desktop.
    Next download the attached fixlist.txt file and save it to the Desktop.
    Fixlist.txt

    NOTE. It's important that both files,  FRST64, and fixlist.txt are in the same location or the fix will not work.
    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.
    Run  FRST64 and press the Fix button just once and wait.
    If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
    The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.
    Note: If the tool warned you about an outdated version please download and run the updated version.
    NOTE-1:  This custom script will set the HOSTS file to a normal one.  The standard one from Microsoft Windows.
     
    The system will be rebooted after the fix has run.    Please attach the Fixlog.txt.   Let me know if you need other help.
    Cheers.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.