Jump to content

Recommended Posts

That log is from Windows in Normal mode... I wanted a scan completing from recovery environment.. Can you read reply #25 again please..

Share this post


Link to post
Share on other sites

Aologies have been stuck at airport, went to pick daughter up and flight was delayed. Am looking over log now..

Share this post


Link to post
Share on other sites

Unfortunately there is still nothing obvious showing in that log... What is the following software used for:

SMADAV version 12.4.1

Share this post


Link to post
Share on other sites

From what I undestand the problem inhand is related to and instigated by a Browser extension. Malwarebytes removes the following entries:

RiskWare.BitCoinMiner, C:\Users\Binfo\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe, En quarantaine, [774], [451717],1.0.11522
RiskWare.BitCoinMiner, C:\Users\Binfo\AppData\Roaming\EpicNet Inc\CloudNet, En quarantaine, [774], [451717],1.0.11522
RiskWare.BitCoinMiner, C:\USERS\BINFO\APPDATA\ROAMING\EPICNET INC, En quarantaine, [774], [451717],1.0.11522
RiskWare.BitCoinMiner, C:\Users\Binfo\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, En quarantaine, [774], [620159],1.0.11522
RiskWare.BitCoinMiner, C:\Users\Binfo\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe, En quarantaine, [774], [620159],1.0.11522
RiskWare.BitCoinMiner, C:\Users\Binfo\AppData\Local\EpicNet Inc\CloudNet, En quarantaine, [774], [620159],1.0.11522
RiskWare.BitCoinMiner, C:\USERS\BINFO\APPDATA\LOCAL\EPICNET INC, En quarantaine, [774], [620159],1.0.11522

Unfortunately after a system restart those entries return, if as reported on several reputable sites they are related to malicious extension we need to sort that out first... Chrome is your default browser so lets temporarily turn off all extensions:

https://chrome.google.com/webstore/detail/disable-extensions-tempor/lcfdefmogcogicollfebhgjiiakbjdje?hl=en

Next,

Run Malwarebytes threat scan and remove all found entries. Run Hitman Pro and remove all found entries. reboot after each scan if required.

Does the issue return..?

Share this post


Link to post
Share on other sites

Buggerrrrrrrrrrrr. run this please...

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Share this post


Link to post
Share on other sites

We are not finding the loader, from google investigations the root cause is usually identified as a browser extension. MB removes the infection, but that returns on reboot, to me that seems to be another type of loader is doing the infection reload...

To remove browser extension issues Avast have a deicated tool, download to your Desktop and give that a try. Let me know if it finds anything. Make sure browsers are closed when you run the tool..

http://www.bugsfighter.com/avast-browser-cleanup-review/

The download is under the main GUI example...

If that finds nothing try TDSSKiller, see if that identifies any possibilities...

Please read carefully and follow these steps.
  • Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
  • Doubleclick on user posted image to run the application.
  • The "Ready to scan" window will open, Click on "Change parameters"

    user posted image

     
  • Ensure all entries are Checkmarked under Additionl Options, Ensure all entries are Checkmarked under Objects to scan When Loaded Modules is checkmarked a re-boot will be offered, allow that to happen...

    user posted image

     
  • Continue after reboot select "Change Parameters" make sure entries are checkmarked and then Select "Start Scan"

    user posted image

     
  • If an infected file is detected, the default action will be Cure, click on Continue.

    user posted image

     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    user posted image

     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    user posted image

     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites

Thanks for those logs, are you saying that the infection still returns after TDSSKiller has deleted found entries...?

Let me see more logs please..

Download PowerTool and save to your Desktop, ensure to get the correct version:

PowerTool for 64-bit systems >> https://malwarebytes.box.com/s/vnp2jdko58ww33bxabbm8zu9764u0tlh

PowerTool for 32-bit systems >> https://malwarebytes.box.com/s/f0bsa1nuzjv994neyzbtrti1au0s98yx

Please follow the instructions below:

Right click on user posted image PowerTool, Select "Run as Administrator"

Windows 8/8.1/10 users may see the following, if so select "More Info"

user posted image

In the next Window select "Run Anyway"

user posted image

Initially click on sq image to enlarge window to full screen (As shown in the image below)
Now click on Kernel tab (No. 1 on the image below)
Then click on Kernel Notify Routine (No. 2 on the image below)
Also click on Path so you sort the list by name (No. 3 on the image below)

user posted image

Right click anywhere on listed items under path (No. 4 on the image above) and select Export.

user posted image

Save exported file to your Desktop, zip up that file and attach to your reply....

user posted image user posted image

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Thank you,

Kevin...

Share this post


Link to post
Share on other sites

Again no conclusive information from those logs.. I ask you earlier about this software: SMADAV version 12.4.1 I assume from your reply that you know of that software and trust it...?

I see from FRST logs that SMADAV starts at boot...

HKLM-x32\...\Run: [SMΔRT-Protection] => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1973328 2019-06-12] (Smadsoft) [Fichier non signé]

I also see from Addition.txt log that Windows Defender has flagged that software as malicious

Date: 2019-07-14 17: 05: 00.654
Description:
Antivirus Windows Defender has detected malicious or potentially unwanted software.
For more information, see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Worm:VBS/Jenxcus&threatid=2147683717&enterprise=0
Name: Worm: VBS / Jenxcus
ID: 2147683717
Severity: Serious
Category: Ver
Path: file: _D: \ VEFLSQM
Origin of detection: Local computer
Type of detection: Concrete
Detection source: Real-time protection
User: ENAUZENBOOK \ Binfo
Process name: 😄 \ Program Files (x86) \ SMADAV \ SM? RTP.exe
Version of the signature: AV: 1.297.993.0, AS: 1.297.993.0, NIS: 1.297.993.0
Engine version: AM: 1.1.16100.4, NIS: 1.1.16100.4
 
When did you install that software..?
 

 

 

 

Share this post


Link to post
Share on other sites

If you have no remaining issues or concerns continue to clean up;

Uninstall the following programs:

Zemana
HitmanPro


http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

The following are Portable and can be deleted from where they were saved:

Malwarebytes Anti-Rootkit
TDSSKiller
PowerTool


Also open C:\drive, any created logs files from TDSSKiller can be deleted..

Next,

Right click on FRST here: C:\Users\Binfo\Downloads\Programs\frst\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.