Jump to content

Recommended Posts

For the last 5-6 months, I randomly get a powershell pop up that quickly goes away, but it forces me to minimize whatever I'm doing, which is usually playing games. I was using Webroot as an Anti-virus, and it never picked anything up. 

I just recently switched to AVG, and since then, it keeps stopping something called //gettmysoftware.info/files/59/projecte.dat which is trying to run something through powershell, and I suspect that this was the culprit, however, i can't find anything I've got installed that has anything close to that name.

I run MalwareBytes, Spybot S&D, as well as AVG in tandem to prevent a lot of errors/issues, but neither of them can detect this bit of Malware that somehow gets missed in a Deep Scan pre-windows boot.

Any chance I could get some help on getting it removed?

Link to post
Share on other sites

After doing some research online, apparently its a pretty prevalent Malware/Virus, as I've seen timelive.info/59/projecte.dat as an alternative name for the alert popup. I've also linked it to an IP in Netherlands.

URL getmysoftware.info/files/59/projecte.dat screenshot.php?id=1493901563336
IP 81.171.14.67
ASN Unknown
Location nl.png Netherlands
Report completed 2017-05-04 15:15:54 CET
Status Report complete.
urlQuery Alerts No alerts detected
Link to post
Share on other sites

Hello strouda56 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Follow the instructions in the following link to show hidden files:

http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs...

Thank you,

Kevin..
Link to post
Share on other sites

Thanks for those logs strouda56, continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Clean install Malwarebytes from version 2 to version 3...

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..

If applicable, backup your Malwarebytes license key information and deactivate the product.

Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step

To deactivate Malwarebytes:

Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes and is updated do the following:

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Next,

Download AdwCleaner by Xplode onto your Desktop.

Or from this Mirror
 
  • Double click on Adwcleaner.exe to run the tool
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.


Post those logs to your reply, also tell me if there are any remaining issues or concerns....

Thank you,

Kevin..

 

fixlist.txt

Link to post
Share on other sites

Fromt he EEK Log:

 

Emsisoft Emergency Kit - Version 2017.4
Scan log

Date    Scan Method    Objects Scanned    Objects Detected    Duration    Type    Computer Name    
5/12/2017 11:18:51 PM    Malware    85682    3    0:00:27    Manual scan    H0LL0W1    
 

Link to post
Share on other sites

I don't know what happened, i decided to try and going through the steps again, starting at the top, and had no issues this time. I did however, find a bit of malware attached to a txt file, see logs below: 

Emsisoft Emergency Kit - Version 2017.4
Last update: 5/12/2017 11:18:35 PM
User account: H0LL0W1\strouda56
Computer name: H0LL0W1
OS version: Windows 10x64 

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:    5/12/2017 11:18:51 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564     detected: Application.AppInstall (A) [221106]
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     detected: Application.BHO (A) [274104]
C:\Users\strouda56\Downloads\58c47e36c4eeb_RKReport.txt     detected: Generic.PoweCod.A.D2DCA929 (B) [krnl.xmd]

Scanned    85682
Found    3

Scan end:    5/12/2017 11:19:18 PM
Scan time:    0:00:27

C:\Users\strouda56\Downloads\58c47e36c4eeb_RKReport.txt     Generic.PoweCod.A.D2DCA929 (B)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{95B7759C-8C7F-4BF1-B163-73684A933233}     Application.BHO (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564     Application.AppInstall (A)

Quarantined    3
 

Link to post
Share on other sites

Thanks for the update, run a scan with Malwarebytes...

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

 

Link to post
Share on other sites

  • 2 weeks later...

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.