Jump to content

Virus opens Electrum and removes Malwarebytes


Recommended Posts

Yesterday a part of my Chrome browser was black (upwards from the bookmarks). I thought it was Chrome so I closed the program. After starting Chrome and a few seconds, it reappeared.

Then my pc opened empty) Electrum software (Bitcoin wallet), after which I shutdown my pc. I can't find logs of any websites penetrated by the virus.
After booting today, my Malwarebytes program was deleted. It was no problem to install it again.

 

Thanks in advance!

20180518 Malwarebytes thread scan.txt

FRST.txt

Addition.txt

20180518 Malwarebytes hyper scan.txt

 

malwarebytes 4.txt

 

AdwCleaner[S00].txt

Edited by AdvancedSetup
Removed un--needed images
Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malware Removal for Windows Help forum. Being infected is not fun and can be very frustrating to resolve, but don't worry because we have a team of experts here help you!!

Note: Please be patient. When the site is busy it can take up to 48 hours before a malware removal helper can assist you. If no one has replied to your new topic after 48 hours please contact a Moderator or Administrator to let them know.

 

First, if you haven't done so, please run a Threat Scan with the latest version of Malwarebytes. This may resolve your malware infection issue without the need for additional support. Click "Reveal Hidden Contents" below for details:

Spoiler

Malwarebytes can detect and remove most malware with no further actions required for free.

If you do not have Malwarebytes, please download it here and install. Be sure to post back the log as shown below.

  1. Open Malwarebytes for Windows
  2. To the left, click Scan > Scan Types.
    image.png
  3. Select Threat Scan. Threat Scan is the most thorough and recommended scan method available.
    image.png
  4. Click Start Scan

Next, if you're still experiencing issues after running Malwarebytes, then technical logs will be required to assist you. Click "Reveal Hidden Contents" below and follow the instructions to run the Farbar Recovery Scan Tool:

Spoiler

Don't use any temporary file cleaners unless requested - this can cause data loss and make a recovery difficult.

Please download the Farbar Recovery Scan Tool here and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  1. Double-click to run it. When the tool opens click Yes to the disclaimer.
  2. Press the Scan button.
    _frst_scan.jpg.d10e66dc03e35ede4fdcba12b
  3. It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  4. The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually.

Finally, attach the Malwarebytes Threat Scan, FRST.txt and Additional.txt logs to your reply and Follow this topic to get notified when an expert has replied. Click "Reveal Hidden Contents" below for details.

Note: If you are unable to attach files, please copy and past the contents of the requested files in your Reply instead. 

Spoiler

To save attachments, please click the link as shown below. You can click and drag the files to this bar or you can click the choose files, then browse to where your files are located, select them and click the Open button.

_mb_attach.jpg.a0465aaafd6cae688aa38ab16

 

After posting your new post, make sure you click the Follow button near the top right of this page, and select the option "An email when new content is posted Change how the notification is sent" so that you're alerted by email when someone has replied to your post.

_mb_follow.jpg.7868cc281f66ac22e919c2c48

_mb_follow_options.jpg.dcb79fc10aa35beb0

Please Note the Following:

  • One of our expert helpers will give you one-on-one assistance when one becomes available.
  • Refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
  • Do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have a helper assisting them and may be overlooked, resulting in a longer waiting period for help
  • If you're using Peer 2 Peer software such as uTorrent or similar, please completely disable it from running while being assisted here.

Troubleshooting Tips

Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

AANDACHT: Systeemherstel is uitgeschakeld
ATTENTION: System Restore is disabled
Turn System Restore On for Drives in Windows 10
http://www.tenforums.com/tutorials/4533-system-protection-turn-off-drives-windows-10-a.html
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
<<<>>>

Please post the log and let me know of any issues with this computer.

fixlist.txt

Link to post
Share on other sites

Dear Nasdaq,

Thanks a lot.

See the attached logfile. 

After some browsing in the settings, I got this notification of ESET Firewall (I chose to accept/decline all outgoing connections myself). After the fix  and reboot, I got the same one twice again. Is this a virus?

Could it be possible that the virus placed the two pictures in my topicstart?

Best regards,
Remco

Eset connection.png

Fixlog.txt

Link to post
Share on other sites

Hi,

The images are parked at Cloudfront.net  it is a legitimate and safe content delivery network owned by Amazon, however cyber criminals are abusing this CDN to deliver malicious content. This CloudFront.net redirect is usually caused by adware installed on your computer.

===

Please run the Malwarebytes and if some items are found please post that log for my review.

Please download AdwCleaner by Xplode onto your Desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.

IMPORTANT

  • If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).


===

--RogueKiller--

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======
Link to post
Share on other sites

Is .exe in the ESET warning legit?

I did the AdwCleaner already, see post 3 and 4. Now I removed another threat, see attachment.
Roguekiller found some more, but I forgot to delete only RED. I downloaded a egulden wallet myself, but can't remember a maxcoin. 

 

AdwCleaner[S02].txt

Malwarebytes.txt

ReportRogue.txt

Malwarebytes2.txt

Edited by remco1745
Link to post
Share on other sites

Hi,

The logs look good.

As for Eset because I cannot copy and paste the text (it's an image) I cannot use the Translator.

Can you translate the text and post the exact URL that is blocking the Eset notice.

 

p.s.

The AdwCleaner and MBAM logs are clean.

Do you have logs that shows what was removed?

Post if you have some

Link to post
Share on other sites

Hi,
Thanks a lot for your help!

In the ReportRoque log, "Niet geselecteerd" means not deleted and "Verwijderd" means deleted.
[PUP.Gen1][Map] C:\Users\Remco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> ERROR [3] isn't deleted either because an unspecified error. If I installed Popcorn Time before (could be possible) it was removed long ago.

When I just booted, that ESET warning didn't show. It says that a computer programm called Microsoft Outlook Communications (I don't use Outlook but I do have Office 365 installed) tries to communicate with the external site config.edge.skype.com on IP 13.107.3.128 through port TCP 443 HTTPs.

I would like to be sure that there is no keylogger when I use my pc. I am really shocked the program opened bitcoin wallet software (fortunately that one was empty).

 

After a while I got another firewall warning. I chose to accept/deny all outgoing connections to monitor possible malware.
It says that a computer programm called Store tries to communicate with the external site storeedgefd.dsx.mp.microsoft.com (more trojans are using it see Communicating Files: https://www.virustotal.com/#/domain/storeedgefd.dsx.mp.microsoft.com) on IP 72.247.91.102 through port TCP 443 HTTPs.

 

Eset connection 2.png

Edited by remco1745
Link to post
Share on other sites

Hi,

Run the RogueKiller and remove these.

¤¤¤ Bestanden : 4 ¤¤¤
[PUP.Gen1][Map] C:\Users\Remco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Verwijderd
[PUP.Gen1][Map] C:\Users\Remco\AppData\Local\PackageAware -> Verwijderd
[PUP.AutoIt.Gen][Bestand] C:\Program Files (x86)\LinuxLive USB Creator\tools\VirtualBox\Virtualize_This_Key.exe -> Verwijderd
[PUP.Gen1][Map] C:\Users\Remco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> ERROR [3]

===

Please use Chrome and search for this string. Include the Qotes"
"communicate with the external site config.edge.skype.com on IP 13.107.3.128"

The IP address 13.107.3.128 if from Microsoft.
https://www.abuseipdb.com/whois/13.107.3.128

Did you try to reach Microsoft?

You can possibly check with the Microsoft Outlook forum for advice.

Link to post
Share on other sites

Thanks again! Will do that now. Would you like to get another FRST log?
 

20 minutes ago, nasdaq said:

Please use Chrome and search for this string. Include the Qotes"
"communicate with the external site config.edge.skype.com on IP 13.107.3.128"

Chrome then Googles the string for me, where I can't find anything but Malwarebytes forum. 

49 minutes ago, remco1745 said:

After a while I got another firewall warning. I chose to accept/deny all outgoing connections to monitor possible malware.
It says that a computer programm called Store tries to communicate with the external site storeedgefd.dsx.mp.microsoft.com (more trojans are using it see Communicating Files: https://www.virustotal.com/#/domain/storeedgefd.dsx.mp.microsoft.com) on IP 72.247.91.102 through port TCP 443 HTTPs.

This connection is already known for trojan use. I hope Microsoft can help to exclude this.

Link to post
Share on other sites

Hi,

Let see what I can find.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
*storeedgefd.dsx*
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

Link to post
Share on other sites


Hi,

I suspect that it's comming from your Prefetch file.

C:\Windows\Prefetch\WINSTORE.APP.EXE-4E2C28F6.pf
[2018-05-20 17:47][2018-05-20 20:06] 000033514 _____ () 94EC2DBB4CF51ED512A0764F6FB18729 [Bestand niet getekend]

Each time you turn on your computer, Windows keeps track of the way your computer starts and which programs you commonly open. Windows saves this information as a number of small files in the prefetch folder. The next time you turn on your computer, Windows refers to these files to help speed the start process.

Prefetch files are great artifacts for forensic investigators trying to analyze applications that have been run on a system. Windows creates a prefetch file when an application is run from a particular location for the very first time. This is used to help speed up the loading of applications. For investigators, these files contain some valuable data on a user’s application history on a computer.

From the Run command box execute

Prefetch

Accept the notice to continue.
Right click on this entry

C:\Windows\Prefetch\WINSTORE.APP.EXE-4E2C28F6.pf

Select Delete.

Close the Windows.

Restart the computer normally.

How is it now?
 

Link to post
Share on other sites

After the reboot, I immediately got the warning for HxTsr.exe again.
VirusTotal gives 1/66 on that file.

C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.9226.21595.0_x64__8wekyb3d8bbwe 

https://www.virustotal.com/#/file/ad9b25c5b836cfc1b924aa1ab3ede167625f0f2e3f2b9e7479f9ef19020fa919/detection

Edited by remco1745
Link to post
Share on other sites

Hi,

This is the first time you give me the filename.

After the reboot, I immediately got the warning for HxTsr.exe again


This file is required by Outlook.

Try to repair the Offie application you have.
https://support.office.com/en-us/article/Repair-an-Office-application-7821d4b6-7c1d-4205-aa0e-a6b40c5bb88b

Is you Office Application a paid Microsoft product and you have a license for it?

In all I would not worry about this False Positive notice.

Link to post
Share on other sites

I noticed before that there was some time between shutting down (and with reboot), where my monitor signal was down but the computer was on. 

Lastly when I was inactive for about half a hour, I saw my screen wake up because the eset warning above (asking me for permission for an outgoing connection). I was about to click accept, but my mouse and keyboard weren't working any longer. I shutdown my pc. 

After starting the pc again, my mouse and keyboard didn't work any longer. I booted again and was able to get into bios. So there is no problem with the mouse or keyboard. Discarded bios setting changes and booted, mouse and keyboard not working. 

I tried two other mouses, same problem. I assume this is related to the virus? 

Any scans I could do without windows? 

Link to post
Share on other sites

Hi,

I'm not sure but you may be having some hardware issues, driver etc...

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS

  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

  • If an infected file is detected, the default action will be Cure, click on Continue.

  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.

  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.


There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Wait for further instructions.

Link to post
Share on other sites

My PC crashes when I run aswMBR. It asks "This computer supports virtual technology. Would you like to use it for rootkit detection?" I chose yes and got a BSOD with stopcode PAGE FAULT IN NONPAGED AREA on aswVmm.sys. My wireless mouse and keyboard did work again, and still is working, afterwards. 

When I chose No, it runs for a while until Modules scanning. Then I get a BSOD with stopcode DRIVER IRQL NOT LESS OR EQUAL on aw.MBR.sys.

 

I got two logfiles of aswMBR, but I think those scans aren't completed. When I run it again, I see more loglines on my screen.

aswMBR.txt

TDSSKiller.txt

aswMBR2.txt

IMG_20180525_152915_693.jpg

Edited by remco1745
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.