Jump to content

Recommended Posts

Why does this keep reappearing about once every minute?  Windows Defender is catching and quarantining it, but why are the people interested in taking over my computer?  Might it be someone who knows me?  I guess I don't know how these things work.

Share this post


Link to post
Share on other sites

Hi, 

I will be helping and guiding you, going forward.
You seem to report that Windows Defender is flagging some file.

One should not jump to an assumption that "some person" is behind all this.

 

Let's first get a diagnostic readout report.  Later on, I can guide you to doing a special run of Microsoft Windows Defender.

 

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites

@Hottubjoe

Please provide the report listed above.  This pc has a variant of the Trickbot trojan. This can be removed but first requires the report & then followups after that.

Please minimize all online uses of this machine to only this forum, as much as possible.   Do not do any online web surfing !

This trojan can be squashed, though it does take several procedures.

This will require much patience and attention on your end.

I am very much wanting to have the Support tool report from this machine so that we can get going on cleanups.

Sincerely,

Share this post


Link to post
Share on other sites

Hi,
Thank you for the personal message.  It is good to know you are receiving messages and that you are there.

What I asked for at the very start only takes a few minutes.  It does not make any changes.  It is only just the first step.
https://forums.malwarebytes.com/topic/248257-trojanwin32meretama/?tab=comments#comment-1316824

If needed, we have a How-To with pictures on how to get & run that report
https://support.malwarebytes.com/docs/DOC-2388

After the tool has finished running, you would just ATTACH the zip file to this thread ( here) on the forums.

There will be a few more things to be done on your side, on which I will help with.
This report is only the first step.   This is why I am looking for it.   So that we can start to do more after that.

Please have courage & confidence & lost of patience in all this.   You and I can do this.

 

IF you have any questions, please feel free to reply back and ask.

Sincerely,

Share this post


Link to post
Share on other sites

Hi,

How are you doing ?

Lets see if we can manage to have you do the following.

This is to make a custom procedure to attempt to get the trojan components to be set out of the way.

 

Start NOTEPAD { you can press Windows-key+R keys to get the RUN option
and then type in

NOTEPAD.exe

and press Enter key to start NOTEPAD.

Check and make sure "word wrap" is off.
From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.
IF it -is- checkmarked, click that one time so that it is un-checked.

Please copy/paste all  the lines below to Notepad:


@Echo on
pushd\windows\system32\tasks
ren C:\windows\system32\tasks\MsSysToken C:\windows\system32\tasks\MsSysToken.bad
popd
pushd\%appdata%
ren C:\%appdata%\msdesk C:\%appdata%\msdesk.bad
shutdown -r -t 1

 


now Save as flush.bat to your desktop.
Double-click flush.bat file to run it. Your computer will reboot.


.

Once this is done, let me know how things are on this machine.  Do have patience with this.  Keep me advised.

Thanks.

Share this post


Link to post
Share on other sites
Posted (edited)

Hi Joe.

It is a great thing to hear back from you.  Bravo.  Thank you for the support report file.

There are a number of things to remark on here.  I am going to mention a few here.  A few of those we will be covering later on.

This Windows 10 system has the Windows System Restore off.   We will need to get that back on.

I also see that this pc does not seem to have installed Malwarebytes for Windows !

I do see that the pc has installed MCAFEE Virusscan ( web advisor).   But it is listed as Disabled  ( per Windows).

It would seem Microsoft Windows Defender is ON.  It is enabled = = thank goodness.

.

I am listing below one special custom task that will use a tool already there on your Downloads folder - - FRSTENGLISH

and then I would like for you to do some special scans.

 

[ 1 ]

Keep in mind this task may well need to do a Windows Restart.   SO before you begin this, please Close and Save all open work, if any.

 

I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) in the Downloads folder 

The tool named FRSTENGLISH is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRSTENGLISH to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

[ 2 ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from here this link

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

Also the FIXLOG report from the previous task.

And just be sure you proceed forward doing the scan with step #3 below.
 


[ 3 ]

The Microsoft Windows Defender is a powerful antivirus.  Lets take some time and do a Offline scan.   This needs to run alone , so you need to close all open work you have.

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
Then look on the right hand side and click on Windows Defender.
Then, scroll all the way down on the scroll bar, down to where you see "Windows Defender Offline"
Click on the button Scan Offline to start the process and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.

.

Thanks for replying.  Please continue to have patience & just do not give up.

Sincerely,

 

 

fixlist.txt

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.