Jump to content
putontheglasses

Trojan exploit removal help

Recommended Posts

I'm asking for help to remove an exploit that Malwarebytes is blocking but doesn't remove. I've attached the log files generated from Malwarebytes to this post.

This exploit affects Google Chrome and tries to force opening chrome to open a hacked chromium browser that has been removed from the system. The problem is that when Malwarebytes blocks the exploit, it prevents me from being able to open Chrome.  I've tried uninstalling and reinstalling Chrome multiple times while also being sure to remove all Chrome system files but that doesn't help. I think the exploit is in heap memory according to the logs anyway, not in Chrome files.

Thanks ahead of time for any help.

detailed_log.txt log.txt

Share this post


Link to post
Share on other sites

Hi,  :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

The event logs you provided is about a Malicious Memory Protection  event on October 3.

You do not mention if it has repeated since then.


We need to get additional, current   information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support- 1.5.1.681.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites

Hello.

I have received the support tool report.  Thanks.

Early on you had mentioned issue(s) related to Chrome.   Let's do what follows.

[  1   ]

Start Chrome.     Let us delete the cache in Chrome.


Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

[   2   ]

Let's do one other scan just in case, for a fresh new opinion.   It should only take a few minutes.  Be sure to Close all web browsers before pressing "scan button".

Run a scan with Malwarebytes for Windows.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done , IF any items are taggedbe real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

When that is completed, kindly send the report.
In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your reply. Thank you.

 

Share this post


Link to post
Share on other sites

Thanks for the additional help. I am unable to open Chrome on this machine because Malwarebytes blocks the exploit which prevents chrome from opening (the exploit attempts to redirect the action to open Chromium which isn't installed).

If I uninstall Chrome and reinstall it, I may be able to open it before I reboot. Should I reinstall Chrome, and then follow the steps listed?

I won't be able to do the additional scan or the rest until tomorrow as the computer is at work

Share this post


Link to post
Share on other sites

At this time, do NOT uninstall the Chrome browser.   If you cannot really start Chrome, skip down to the next suggestion to do the SCAN with Malwarebytes !

This machine has a kovter pest infection.  It is paramount that you run the scan with Malwarebytes just exactly as I listed before.

That is the prime immediate goal.   We likely will have to do additional scans after that.

.

The Chrome browser can be started in its "safe" mode.

You can force Chrome to start in reduced mode, called Incognito mode, by putting a parameter at startup.
First, close any prior instances of Chrome via Task Manager.
Then press Windows-key+R for the RUN option and then put a command line similar to this {do use COPY & PASTE}

chrome.exe -incognito



Starting Chrome in Incognito mode may work for you, and allow you to make "changes" or tweaks in it.
Note also, Incognito mode is also an option in the Chrome menu {as long as it can start}.

.

To recap again, the Malwarebytes scan is the most pressing thing that needs to be completed.   That should only take something like less that 20 minutes.

Lets get that done & then have you attach a copy of that scan log.   I appreciate you advising that this machine is at work.   I'd appreciate your making addressing these issues as a top priority.

Also, for your attention, when I list a set of steps,  my intent is to do all of the steps.   To keep going down the list and do each thing.   Unless I mention explicitly mention otherwise.

 

I also need for you to run this next report, after you finish the Malwarebytes scan.

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST64  report tool   from the link below and save it to your desktop:


"Download link for 64-Bit Version Windows"

Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file  and save it to the DOWNLOADS folder.

 

After it is saved, open Windows Explorer and go to the Downloads folder.   You should see FRST64  there.

Run report with FRST64

Right-click on FRST icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.





The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Regards.

Share this post


Link to post
Share on other sites

Hi again.   I have one additional task for you, after you have completed the other stuff I sent in my preceding reply.

This one is a custom cleanup task, customized from data collected / reported in Malwarebytes log.

This is a text file that I am attaching here named DEL-DO.txt.   I need for you to SAVE it to your DOWNLOADS folder or else, to the DESKTOP.

RIGHT-click on DEL-DO.txt  that you see and do a SAVE  AS   from the menu-list displayed.   Guide it to be saved to the DOWNLOADS folder.

Our goal is to get that file onto your system saved AS-IS

 

After it is saved to your system,  go to that folder  using your Windows Explorer.

Then with your mouse pointer, do a RIGHT-click with mouse and pick RENAME

then rename it to DEL-DO.reg

 

Once that is done, use your mouse pointer on that file and select MERGE

We want that to proceed and get it merged into the registry so that it deletes 2 values.  You want to reply YES to let it run.  You want to reply YES to allow it to merge.

Keep me advised about all this.   If you have questions, let me know.   Have patience.  Have faith.

DEL-DO.txt

Share this post


Link to post
Share on other sites

Good afternoon.   I was truly hoping to hear from you today.   How is it going ?

The run of FRST will not take much time.   and the run of the custom DEL-DO  will be very quick.

Looking forward to hear about all that.

Sincerely,

Share this post


Link to post
Share on other sites

I'm pretty sure I got it removed. Just needed to do a configured scan with rootkit selected and it removed the offending trojan. You can close this as resolved. Thanks!

Share this post


Link to post
Share on other sites

I do appreciate your having let us know.   Good to know the scan has resolved the situation.

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).


Free games & free programs are like "candy". We do not accept them from "strangers".


Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq




Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

All best wishes to you.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.