Jump to content

Recommended Posts

Hi, i don't know if this is the right place to ask for my problem/concern, but if is not feel free to move to the right section (and sorry for the mistake).

So, few days ago i found on my pc an old software unused by me for at least 3 years (between the last usage and now i upgraded win 7 to win 10. i don't know if this can help or can be a problem in the diagnosis). Just for curiosity and to be sure i used virus total scanner on the .exe file of that software and the results revealed for 3 of 67 analysis scanners that there was a Riskware (0040eff71).

My reaction to this was to download ADWcleaner (because it helped me in other circustances in the past) to scan my pc. I don't have anymore the log files because i unistalled ADWcleaner (i regret this decision), but i remember the entries. ADWcleaner only found 2 suspicious results in the Registry field (*only things i don't remember are if HKEY was HKLM or HKCU):

PUP.Optional.Legacy key registry HK*/Software/Classes/Interface {ID}

PUP.Optional.Multiplug key registry HK*/Software/Classes/TypeLib {ID}

At this point i cleaned up with ADWcleaner but the PUP.Optional.Legacy came back once. I cleaned again and also this one disappeared.

After this i unistalled ADWcleaner and installed Malwarebytes 3 to make sure nothing else remained. I ran the scan and nothing has been found so i supposed the pc was correctly cleaned, but in the runtime protection of the premium trial i was reported with several venturead.com block site events during my daily navigation. I scanned again with Malwarebytes 3 and i also installed and ran Zemana, but nothing has been reported as malevolous. Looking for advise on internet, i reset the browser and the venturead.com events disappeared.

The goal of this topic is mainly to understand the tipe of infection that i faced and if i should be worried about my accounting credentials used during this long time that supposedly i was exposed. So, my questions are:

1) what kind of threats were these of mine? (i would like to understand more about every evidence i described just to learn more about this. i searched on internet but nothing was exactly my case)

2) should i be worried about my credencials? (i usually change passwords every 5, 6 month, last time 2 weeks ago, and always sign in in anonymous browser windows, but i understand that if these threats were severe, like a keylogger, these my habits are meaningless)

3) i sometimes connect my external hdd to make a backup of my personal data (mainly photos, videos and docs). I have done this several times before this episode so, my last question is: Should i be worried about my external hdd or data stored? (i don't know if this helps, but i never executed nothing on that device and i made a scan with Malwarebytes 3 after i finished my fight against the venturead.com thing)

I'm sorry for this wall of text and for my english (not so good i know) and i hope u can give me good news about my preoccupation.

PS: i forgot to say that the only real symptoms (during the infection period) i perceived were failed attempts (blocked by the browser and the adblock extension) from the browser to open popups/browser cards and, i suppose, too much ads on certain websites (too much considering that i had adblock). i don't know if i had some performance issues because this pc has 9 years old so is actually the normal behavior for me seeing lag spikes on videogames or difficulty in some tasks.

Edited by binboy

Share this post


Link to post
Share on other sites

Hello @binboy and :welcome:

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Share this post


Link to post
Share on other sites

Step 03 (2)

I consulted malwarebytes support where is said that the alert from Windows Defender is normal, but still i don't understand why the Virus Total Report indicate threats.

Here the files from the Step 03 needed

FRST.txt

Addition.txt

Edited by binboy

Share this post


Link to post
Share on other sites

The FRST tool is created with the program AutoIT which then has the code obfuscated and the antivirus engines cannot read into what the code is actually doing so they flag it. The file is updated every day so it's never up long enough to get a known good history by the hash of the file. The next day the hash will be different. It is a very safe program to run for the scan portion.

Give me some time to read the logs and get back to you

 

Share this post


Link to post
Share on other sites

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

 

fixlist.txt

Thanks

Ron

 

Share this post


Link to post
Share on other sites
1 hour ago, AdvancedSetup said:

The FRST tool is created with the program AutoIT which then has the code obfuscated and the antivirus engines cannot read into what the code is actually doing so they flag it. The file is updated every day so it's never up long enough to get a known good history by the hash of the file. The next day the hash will be different. It is a very safe program to run for the scan portion.

ok, thanks for the clarification

1 hour ago, AdvancedSetup said:

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

ok, i will follow the tips

1 hour ago, AdvancedSetup said:

The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

This is the fixlog.txt made by FRST. Just to let you know after the end of the process the SO warned me with and error window that said that FRST has stopped warning. I don't know if FRST has done all what it should but the fixlog.txt was created in the right place as you said. i post this one and let me know if i need to rerun the fix routine with FRST.

Fixlog.txt

 

Share this post


Link to post
Share on other sites

No it did not run properly. Please restart your computer. Temporarily disable Defender again. Then save the FIXLIST.TXT file again to the same location as FRST.

Right click over FRST and run it with Admin rights and see if it runs okay this time.

Ron

 

Share this post


Link to post
Share on other sites

Looks good.

The accounts all look good too.

Administrator (S-1-5-21-3232465025-1172694305-901688475-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-3232465025-1172694305-901688475-503 - Limited - Disabled)
Guest (S-1-5-21-3232465025-1172694305-901688475-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-3232465025-1172694305-901688475-1002 - Limited - Enabled)
TWS (S-1-5-21-3232465025-1172694305-901688475-1001 - Administrator - Enabled) => C:\Users\TWS
WDAGUtilityAccount (S-1-5-21-3232465025-1172694305-901688475-504 - Limited - Disabled)

 

What issues, if any do you believe you're still having?

 

Share this post


Link to post
Share on other sites
31 minutes ago, AdvancedSetup said:

What issues, if any do you believe you're still having?

well, quoting myself from the first post of the topic

On 7/2/2018 at 3:01 PM, binboy said:

1) what kind of threats were these of mine? (i would like to understand more about every evidence i described just to learn more about this. i searched on internet but nothing was exactly my case)

2) should i be worried about my credencials? (i usually change passwords every 5, 6 month, last time 2 weeks ago, and always sign in in anonymous browser windows, but i understand that if these threats were severe, like a keylogger, these my habits are meaningless)

3) i sometimes connect my external hdd to make a backup of my personal data (mainly photos, videos and docs). I have done this several times before this episode so, my last question is: Should i be worried about my external hdd or data stored? (i don't know if this helps, but i never executed nothing on that device and i made a scan with Malwarebytes 3 after i finished my fight against the venturead.com thing)

- Question 1) is just curiosity and actually knowing the answer of this one could indirectly resolve my concerns about question 2) and 3)

- Questions 2) and 3) are mainly focus on understand if i should be worried of my credentials (like e-mail, bank account or others) and of my files stored in my external drive. For credendials, if you say me that is needed (considering the threats that i had), i could change  the passwords, but for my external drive i don't know how to properly confirm the safety.

Share this post


Link to post
Share on other sites

I'm sorry, we don't run a training facility. If you wish to learn about all of this, it would be best to attend an online school.

The following are websites who host training facilities: United Network of Instructors and Trained Eliminators

 

The listed threats were not known to steal passwords. However, for peace of mind there is nothing wrong with changing passwords for mail, facebook, etc. It's good to change periodically as you've indicated.

Overall there was nothing all that dangerous that was removed at this time.

Please read the following for Backup Software information.

Thank you again

Ron

 

 

 

Share this post


Link to post
Share on other sites

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.


If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

Share this post


Link to post
Share on other sites
11 hours ago, AdvancedSetup said:

I'm sorry, we don't run a training facility. If you wish to learn about all of this, it would be best to attend an online school.

The following are websites who host training facilities: United Network of Instructors and Trained Eliminators

oh, it's ok, thank you for your suggestion.

11 hours ago, AdvancedSetup said:

The listed threats were not known to steal passwords. However, for peace of mind there is nothing wrong with changing passwords for mail, facebook, etc. It's good to change periodically as you've indicated.

Overall there was nothing all that dangerous that was removed at this time.

Good to know, this was the most pressing concern about this situation. As you suggest, i will at least change some of the most critical passwords.

11 hours ago, AdvancedSetup said:

Please read the following for Backup Software information.

I will learn how to backup properly. Thanks again for show me some solutions.

11 hours ago, AdvancedSetup said:

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

Yes, i have seen how it works and i will absolutely consider the premium version. Seems legit for me.

11 hours ago, AdvancedSetup said:

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

I will take this advice and i will try to learn more.

Just one last thing: I would like to start my new "computer life" as clean as possible so, how do i correctly inspect my external drive for make sure that it's all right? As i said before, during the "infection time" i sometimes connected my external drive to save photos, videos, and other generic data. Considering my past threats, did i have something that could have spread onto the external drive? (PS: This is the only computer i've ever connected to that device)

Share this post


Link to post
Share on other sites

I would not expect any issues from what was shown. You can scan the external hard drive with another antivirus product as well to verify nothing found.

 

Please download and run the following Kaspersky antivirus and see if you're able to scan that drive as well.

Kaspersky Virus Removal Tool

Cheers

Ron

 

Share this post


Link to post
Share on other sites
1 hour ago, AdvancedSetup said:

I would not expect any issues from what was shown. You can scan the external hard drive with another antivirus product as well to verify nothing found.

 

Please download and run the following Kaspersky antivirus and see if you're able to scan that drive as well.

Kaspersky Virus Removal Tool

Cheers

Ron

 

I have scanned the external drive and nothing has been found so i suppose i'm ok. I know that sometimes i can be a little bit paranoid but I'm really grateful for your patience and competence shown in assisting me. I apologize if at any moment i have been a little bit tedious and thanks for all and good luck for everything.

Share this post


Link to post
Share on other sites

That's good to hear @binboy

No apology needed. We're here to help you as best we can.

Take care and stay safe out there. I'll go ahead and close your topic now.

Thank you again

Ron

 

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.