Jump to content

Recommended Posts

I first purchased Malwarebytes about 2 months ago after I started getting nasty emails.  I know these are spam but I didn't have a malware solution so I chose Malwarebytes.

For the last 2 months I have been running fine and only a couple of times has the program flagged a trojan or something on a website.

Well I'm still getting spammed pretty hard on my email accounts (just actually deleted them), and my ISP provides Norton so I decided last night to install it.

It claims it found 4 threats!  One of which is W32.Extrat, which is a remote access virus (keylogger, etc).   Has this been running the entire time I have thought I was clean?

I know nothing is perfect but I bought Malwarebytes specifically to deal with these types of threats... 

Windows 10, latest update.

 

nortonFoundMalware.PNG

Share this post


Link to post
Share on other sites

Let me just clarify my remarks.

I run my own email domain.  I don't expect Malwarebytes to stop SPAM.  I have a SPAM filter for that on my server.  I merely mention it for context.

 

Oh WOW.... scan for rootkits is off by default?!?!?!

Share this post


Link to post
Share on other sites

Ran adwcleaner:

# -------------------------------
# Malwarebytes AdwCleaner 7.2.5.0
# -------------------------------
# Build:    11-26-2018
# Database: 2018-11-30.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    12-01-2018
# Duration: 00:00:09
# OS:       Windows 10 Pro
# Scanned:  32290
# Detected: 4


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Adware.Heuristic            HKLM\SOFTWARE\94a6df8a-d3f9-558d-bb04-097c192530b9
PUP.Adware.Heuristic            HKLM\SOFTWARE\81bfc699-f883-50c7-b674-2483b6baae23

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

PUP.Optional.Legacy             Ask
PUP.Optional.Legacy             AOL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
 

Share this post


Link to post
Share on other sites

adwcleaner fix report (1 failed to clean)

 

# -------------------------------
# Malwarebytes AdwCleaner 7.2.5.0
# -------------------------------
# Build:    11-26-2018
# Database: 2018-11-30.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    12-01-2018
# Duration: 00:00:01
# OS:       Windows 10 Pro
# Cleaned:  3
# Failed:   1


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

No malicious folders cleaned.

***** [ Files ] *****

No malicious files cleaned.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKLM\SOFTWARE\94a6df8a-d3f9-558d-bb04-097c192530b9
Deleted       HKLM\SOFTWARE\81bfc699-f883-50c7-b674-2483b6baae23

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

Deleted       Ask
Not Deleted   AOL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [1418 octets] - [01/12/2018 00:20:46]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########

Share this post


Link to post
Share on other sites

By the way, I'm not trying to insult Malwarebytes.  I am somewhat shocked that I have let a trojan go for so long and am asking for help in making sure my system is clean.

I used to do email and surf in a Linux VM, thinking that and Windows Defender were enough!  Sadly, no.

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

These keys reported by the AdwCleaner tool are from the Cloud Imperium Games
PUP.Adware.Heuristic            HKLM\SOFTWARE\94a6df8a-d3f9-558d-bb04-097c192530b9
PUP.Adware.Heuristic            HKLM\SOFTWARE\81bfc699-f883-50c7-b674-2483b6baae23

If you want to remove them, use the Control Panel > Programs > Programs and Features.

Your call.

RSI Launcher 1.0.1 (HKLM\...\81bfc699-f883-50c7-b674-2483b6baae23) (Version: 1.0.1 - Cloud Imperium Games)
RSI PTU Launcher 1.0.1-ptu.4 (HKLM\...\94a6df8a-d3f9-558d-bb04-097c192530b9) (Version: 1.0.1-ptu.4 - Cloud Imperium Games)
===

Let me know of any remaining issues with this computer.


 

fixlist.txt

Share this post


Link to post
Share on other sites

Fixlog.txt 

I have read this and I have no idea what it did.  It looks like it removed some chrome stuff and maybe a spy that Microsoft installed (campainManager?).

By the way, Norton REALLY hates FRST64.exe.  

First, it warned me to discard the download.

Second, it warned me when I started the process that the process was reaching out over port 80 to bleepingcomputer.

Thank you, I will contact you if I have further issues with the computer.  I think I have further issues with my life after having a RAT for who knows how long...  Time to call banks etc...

Share this post


Link to post
Share on other sites

Nasdaq,

I have a question.  I just did more research on the location of this virus, as detected.

It was in appdata/local/comms/unistore  folder 7.

Apparently that is where Microsoft Mail stores attachments when downloading POP.   One file was MyDocs.SCR and another infected file was a .zip.  I don't recall ever executing either.  Is it possible this RAT was never active?

I started using Windows Mail about 3 weeks ago (before I used thunderbird on my VM).   I had about 7000 emails from over 10 years on the server when mail downloaded via POP.

Nothing has found an active RAT process.  Is it possible to have had the RAT running without MalwareBytes or Norton to be aware of it?  Would I have had to execute the .SCR or unzip the .zip for it to infect me?

Thank you for your help.

Share this post


Link to post
Share on other sites

Hi,

By the way, Norton REALLY hates FRST64.exe.  

The Farbar tool uses programs that can be harmfull to your computer.
If downloaded from the site I gave you it's safe. Do not worry.

===

Temporary file are saved in this folder.
 The location is C:\Users\Myuser\AppData\Local\Comms\Unistore\Data\Temp
You can delete them as you wish. Any files in a \temp folder are created by applications.
When the application is closed normally they are deleted, but not always.

p.s.
Are you saying the you have 7  sub folders under the \temp... folder 7.
Then all the files in these folder can be deleted.
<<<>>>

With the protection of Norton I'm sure you are clean.

You can check if your Passwords have been compromised.
https://haveibeenpwned.com/Passwords

Share this post


Link to post
Share on other sites

Thank you for your reply.

I'm saying in this folder is where WIndows Mail stores all of the downloaded emails and attachments  subfolder 3 for emails and subfolder 7 for attachments.

C:\Users\Josh\AppData\Local\Comms\Unistore\data

So Emails are in C:\Users\Josh\AppData\Local\Comms\Unistore\data\3\

Attachments are in C:\Users\Josh\AppData\Local\Comms\Unistore\data\7

The files in those folders are for Mail program's use and are hidden protected operating system files.

The viruses were found in subfolder 7, which means some email had a virus attachment.   Since I downloaded 10 years of emails via POP a few weeks ago, I'm guessing someone sent me viruses over the last 10 years and those were downladed to this folder (but maybe not executed?).

 

Protection of Norton and Malwarebytes!

Share this post


Link to post
Share on other sites

I guest you will have to be careful when opening any of the email in that folder.

Share this post


Link to post
Share on other sites
4 hours ago, nasdaq said:

I guest you will have to be careful when opening any of the email in that folder.

Oh all those files not quarantined are gone.  I deleted that mail account from Mail and after backing up that account to PST (yes, need to be careful with this pst) I deleted that and 2 other mail accounts.

Thank you again.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.