Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

Trojan.Script.Agent.bg infection?


jklcpa
 Share

Recommended Posts

I may be infected with a trojan. 

When I open my internet browser, my AV program blocks a forum for business professionals, its headers, footers, etc, and I am not even trying to access this site.  I get the same messages and blocking when I do try to visit the site, and other professionals I've spoken with are not having this issue.

I'm using the premium version of Malwarebytes and have run scans in it and my AV program. Both show no threats but Kaspersky shows "detected object (file) cannot be disinfected in its report that appears to be the web address of the forum.

In addition to the required reports, I've included the Kaspersky report of detected objects and also the detailed report of activity for the last 24 hrs.  On that detailed report, it appears that something happened at 17:43:11 pm this afternoon that says suspicious activity was allowed, and I definitely did not allow this.

Please help!

Addition.txtFRST.txtMalwarebytes scan report.txtDetected objects.pdfDetailed AV report-last 24 hrs.txt

Link to post
Share on other sites

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

[ 1  ]

Malwarebytes for Windows should be upgraded to the very latest version 3.8.3.

Before you start, Close all other opened windows that are open in the foreground.

 

Start Malwarebytes.
Click Settings.

Then scroll back up to "Application Updates"
click the grey button "Install Application Updates".

 

[  2  ]

Let’s start by doing a new thorough scan with Malwarebytes for Windows.   The goal is to see whether there is an infection or P U P.

 

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

image.png.7df17bc3089a751798950d5e43c0e742.png



Then you can proceed to click on the blue button Quarantine selected.


In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

 

 

Follow all prompts and let it apply the new version.



Link to post
Share on other sites

Thank you for that report.  That is fine.

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Version 7.4 of Adwcleaner  detects factory Preinstalled applications too!

I  encourage you to take a look at the announcement blogpost to learn more this new detection category: https://blog.malwarebytes.com/malwarebytes-news/2019/07/your-device,-your-choice:-adwcleaner-now-detects-preinstalled-software/.

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

Thanks.  Keep me advised.

 

Link to post
Share on other sites

Thanks for the Adwcleaner run report.   There were no malicious items reported.

As far as Adwcleaner & Preinstalled Software  it does appear you did ok.   I do not see removals for pre-installed software for Dell, Lenovo.

 

Which :program was the one that produced the "Detected objects"   ?   and which web browser was in use ?

It seems to me that was all about a few JS  javascript files from forum.thetaxbook.com

 

You should delete all Cache files & browser History in all of your web browsers.

 

Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

In most all other web browsers,  when they are Open,  you may use the same shortcut Keys to begin the Broswer cleanup.   One browser at a time, that is.

Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

 

Link to post
Share on other sites

Firefox browser & no other programs were open at that time. Immediately prior to this I had just finished deleting the cache and history using the function built into Firefox in the "Options" section and I also then deleted the history/cache using the Control Panel.  I was going to reboot but then remembered one more thing to do online, and as soon as I reopened the browser and my Comcast home page was still loading, Kaspersky said it blocked an attempt to access a malicious website that is a forum for tax preparers run by a company as an adjunct site to their research materials. It also blocked some sort of download attempts and about 14-15 other items that all referenced that company's website's address.

I did not attempt to access that site at all, and I haven't visited that site in months. That is what I thought was strange, and at first I thought it was a bookmark causing the issue because of the web address that appeared so I deleted the bookmark, again deleted cache & history, exited out of the browser, and rebooted the machine. I started looking at AV reports and saw these 2 line entries on a Kaspersky report on 9/27 at 9:43 pm that says this that I think are the first time this all happened:

Quote

27.09.2019 21.43.11    Suspicious action was allowed    Internet Control Panel    Action: Use browser command line    Application: Internet Control Panel    Application path: C:\Windows\System32\inetcpl.cpl    Time: 9/27/2019 9:43 PM
27.09.2019 21.43.11    Suspicious action was allowed    Internet Control Panel    Action: Use browser command line    Application: Internet Control Panel    Application path: C:\Windows\System32\inetcpl.cpl    Time: 9/27/2019 9:43 PM

 

Deleting cache & rebooting did not help and all and the same 14-16 warnings from Kaspersky happened 2 more times yesterday as soon as I opened the Firefox browser without any other action on my part other than starting Firefox. 

I'm also seeing a lot of activity on Kaspersky yesterday around lunchtime related to driver updates and trusted applications, and I'm not sure about some of it.  I don't know why there are *.exe files in there, including ThunderboltRegModule and other things I don't recognize. They could be legit; I'm sorry but I'm not knowledgeable enough to be sure.

After speaking with a fellow tax preparers that were using the tax forum without any issues, I did try to access that site and all the warning bells started again with Kaspersky blocking me and blocking some sort of download attempts.

Link to post
Share on other sites

The cautionary notes / messages / or warnings from Kaspersky may be false positives.

If the Kaspersky warnings  ( same ones ) keep repeating, then you should contact Kaspersky support.  I am presuming you have a Kaspersky license.

 

You deleted the Cache on Firefox and that is a important thing.   A very good thing to do.

On Firefox, you want to be sure that it does not re-load the prior page .....  if and when  the Firefox crashes.

One wants Firefox to just start on either a blank page  or a regular page of your own choice.

 

This pc now has the latest Version for Malwarebytes for Windows.   And its last scan found no malware.

 

For the long term,  I would like to see this pc get current with Microsoft Windows Update & get updated to build 1903   ( at least ) or else to the  upcoming fall build 19H2   ( the later not yet released).

But for now, you should do a different virus scan, just to get another opinion.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

Link to post
Share on other sites

Firefox hasn't crashed, and I changed browser home page to a blank tab.  I also updated Win10 to v. 1903 as suggested.  Thank you!

The ESET screen looked a little different than described and "scan" was not presented at the right side. I ran the ESET online free scan, not the trial version.  Did I choose the correct one, and if not, is the one I ran adequate?  It found one item to clean that was a driver navigator listed as a potentially unwanted application. Nothing else.  Log is attached.

When we are finished I have a question about why MBAM wasn't notifying me that an update was available.  All of my other programs are set to update automatically, and MBAM was set to notify me whenever an update was available but from the logs, it looks like Kaspersky was blocking that function. I now have MBAM set to update automatically, and Kaspersky shows the current MBAM version as "trusted", but this isn't the first time my MBAM wasn't up-to-date, so when we are finished I'd like to add the MBAM updater function to Kaspersky's exclusion list...if you think that is wise.  I don't know what that file or app is called to add it myself.  Can we revisit this later?

ESET scan log 9-30-19.txt

 

Link to post
Share on other sites

Thanks for the ESET scan log report.  You did well.

You can Delete the ESET file that you downloaded.

 

and, it is very good to know that this pc does now have Windows 10  Build 1903.    Bravo.

 

Could not know why a Malwarebytes update notice would not show, or more likely, it showed but then got pushed back behind other screens of other running programs.  Sometimes that is what happens when there are multiple open, active windows.

 

To set exclusions for Malwarebytes in Kaspersky please do the following:

# Open Kaspersky 
# Click the Settings button on the bottom left (looks like a cog/gear)
# Click *Additional*
# Click *Threats and Exclusions*
# Click *Specify Trusted applications*

image.png.2905ac52c169f703b9658da05c870a9d.png

 

In the new window that pop up click *Add* at the bottom right
Under *File or folder* click *Browse*
Navigate to the following folder (or your install location for Malwarebytes if it's different from the default location):
 C:\Program Files\Malwarebytes\Anti-Malware
Click Select
Make sure that ALL Protection components are selected and the Status is Active
Click Continue on the Confirmation popup


As an add precaution you will also want to disable Advanced Disinfection.

image.png.dcbf12bf312fe89324c534fb94f0d90e.png
.


Open Kaspersky 
Click the Settings button on the bottom left (looks like a cog)
Click *Additional*
Click *Threats and Exclusions*
*Uncheck* the box next to *Enable Advanced Disinfection technology*


When all done, use the Windows Start menu and do a Restart.

Your Kasperky trusted applications should look like this


image.png.a6a43de5aca518e841a302bbb8bc35d3.png

 

Afterwards,   do a windows Restart, and allow system time to settle in .

 

Let me know if you need something else at this point.

Sincerely,

Link to post
Share on other sites

Fwiw, I do think Kaspersky was blocking something malicious from that tax forum.  As of this morning, that forum was inaccessible and shut down without explanation, and none given when I called the company.

Thanks for all of the explanations and help with adding MBAM as a trusted app.  I think I have Kaspersky all set.  I did have two more files than you showed. One is a .dll file, and the other is the setup file in C:\WindowSysWOW64.  Should I include those also?

20190930_183537.thumb.jpg.b1b78fd0badcef27e335e3c32ae7b401.jpg

There was one other file in the Malwarebytes Anti-Malware subdirectory that was for the Adware cleaner that you had me download.  I didn't include that either.  Should I?  I planned to delete that and the ESET freeware when we are done and when you are satisfied that my machine is clean.

I also think Kaspersky was blocking the MBAM update because I can see several hundred (more than 300) instances of these entries on 9/23 and 9/24 where the MBAMService.exe was being blocked.  That activity stopped and I don't know why there either.  Was the latest version released on 9/23?

20190930_192247.thumb.jpg.20b81b3d247afdf077d2063dbb7a7f56.jpg

Link to post
Share on other sites

The 2 files you mentioned & highlighted in the exclusions area ....that is fine.

 

You do have MBAMservice excluded so that I would not expect that Kaspersky will casue the same false blocks, like before.

No, you do not need to set any exclusion for the Adwcleaner.

 

You can do a new scan with Malwarebytes for Windows.  And then as long as the result is all good, we can then wrap up this case.

 

I do have 2 other tips:

[  1  ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

[  2  ]

I suggest you install the Malwarebytes Browser guard on to Chrome browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

Sincerely,

Maurice

Link to post
Share on other sites

Hi Maurice,

I ran scans in both MBAM and Kaspersky and didn't find any threats.  I feel more confidence in my machine again and will continue to monitor the AV reports and activities.  Thank you for the help and your patience!

At your suggestion, all notifications are turned off other than those coming from my anti-virus softwares or windows itself.

I'll take a look at the browser guard in more depth and decide whether or not to install that for Chrome.  My use of Chrome is extremely limited and installed for only two sites that won't accept Firefox:  one is a secure IRS site and the other for Rx drug insurance to pay its premium and to order medicines. Knowing that, do you still feel the browser guard is needed?

What about the browser guard for Firefox? 

Link to post
Share on other sites

Thank you for the information on the scan results.   Happy to know they reported no threats.

The Malwarebytes Browser Guard for Chrome  is recommended because it does provide additional direct browser protection.

https://forums.malwarebytes.com/topic/250998-introducing-malwarebytes-browser-guard/

 

Yes, there is a separate Malwarebytes Browser Guard for Firefox

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

 

I am glad to have helped.   If you need something else, do let me know.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

Sincerely,

Maurice

 

Edited by Maurice Naggar
update link for Firefox Browser Guard
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.