Jump to content

Installed Program Containing Viruses


Recommended Posts

I was downloading a cracked Minecraft launcher off of Shiginima (which many places say is a safe website) but once I clicked download it didn't even download the launcher and just gave me a bunch of PUPS and PUMS, plus 7 threats. I immediately scanned with Malwarebytes and I promptly quarantined all of which it detected. After a restart I scanned again and it still found 7 PUPS, so I got rid of those too. I am doing a full custom scan now and so far it has had 1 more detection. Now that I look back on this I see I was being very stupid and just shouldn't have trusted the sketchy download.

Anyway, the reason I am making this post is so I can make sure there are no keyloggers or anything that could be a potential security breach for the passwords being used on this PC. I'm changing them all anyway on a different computer, but I just want to make sure here. Greatly appreciated for anyone who helps in replies.

list.txt list2.txt

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

 

Thanks for the Malwarebytes scan reports.   Please know that Malwarebytes for Windows does detect maicious keyloggers.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.
.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner  

https://downloads.malwarebytes.com/file/adwcleaner


 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

Link to post
Share on other sites

Your instructions to get the log report seemed to be a little different for how the program layout appeared to me, but when the scan finished there was just a button that allowed me to get the report I believe you were asking for. It found a couple more things which I put into quarantine. Also the deep scan I was talking about before (which didn't finish as of when I sent the main message for this thread) also found a generic malware which was located in the cache files in my Google Chrome. Don't know if that is to try to get my passwords, but I already changed them on another computer and have not logged back in on the infected PC. First file is the report from the deep scan and the second file will be the report from AdwCleaner. Thanks for responding to this thread so fast as well!

list3.txt malwarelist.txt

Link to post
Share on other sites

Hello,

I apologize for not clarifying in my first response but you can call me Josh. I just wanted to notify you of an odd occurrence last night while I was doing another full custom scan in the entirety of C drive including the rootkit option. I still had my internet on at the time and was in chrome, but while the scan was happening my computer kept freezing for around 5 seconds in about 30-60 second intervals. I believe (if my memory is correct) hovering my mouse over an application in my taskbar still gave a responsive animation, but during those 5-10 seconds of freeze time I was unable to open any programs. To clarify “unable to open any programs” I do not mean open programs that were not running yet (although this would also of course be true during the freeze) but I was not able to switch my view to let’s say Chrome to Malwarebytes (or even the desktop) nor get any functionality out of the program which was currently being viewed during a freeze. If I remember right I believe chrome gave the “not responding” message on the top of the screen a couple times but Malwarebytes did not ever give this message when the computer froze.
 

I would have just chalked up these short freezes due to the intensive scan, but it was happening a little too much it started to appear slightly sketchy (probably just my paranoia though). However, just as I decided to unplug my ethernet (no WiFi on my motherboard or via a dongle by the way) as a precautionary measure due to my worries, I heard 4 beeps in my headset. It stopped as the ethernet was unplugged (Sounded like the beeps you hear when Morse code is being sent haha). The computer appeared to stop freezing as frequently too once the ethernet got unplugged and chrome was closed. I know Windows can make beep sounds for various reasons but I am not really sure what to make of the situation described from last night, or what the beeps would mean in this particular instance if Windows initiated it. Just felt sketchy, but it could have just been a series of events which coincidentally happened one after another which made for a suspicious situation. After 4 hours since it was begun the scan finished and came up with 0 detections. What do you think about this?

Also would like to clarify after I started my computer up today I have kept it in safe mode with networking drivers enabled but have not plugged the Ethernet back in and don’t really intend to until we can determine I am clean of any more malware. I Initiated one more full custom scan 2 hours ago like I did last night for good measure. I’m not sure if I said it yesterday but all important account passwords were changed and I have not logged into said accounts on my PC. The only thing I actually did log into on my PC yesterday was the account I made for this forum, but I am making these posts from a mobile device now especially since the internet is off for the PC. Anyhow, that’s about it for new information. Have a good day and much thanks for any future help I will receive from you!

 

Link to post
Share on other sites

Thank you for the reports above.

Malwarebytes for Windows just only tagged 1 item that was in the cache of the Chrome browser.  It did not detect any active malware.

I do hope that we are only looking at one machine so far.  Your mentioning other machines can get me confused.   Let us only just work on the first PC  that got this started.

We do need to have a internet connection on this machine in order to properly run scans.

Otherwise, you will need to do downloads on a clean machine  & save to a USB-thumb drive & then take that to the "suspect" machine & copy that down to it.

I cannot tell you what the "freezes" or "program not responding" are all about ......except to say that it can happen on any machine running Windows.

 

There was Chrome that was flagged before, so lets get it "beefed up"  a bit more securely.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/


  
You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. 
Scroll down to the tips section "How do I disable them". 

I suggest you install the Malwarebytes Browser guard for Chrome. 
To get & install the Malwarebytes Browser Guard extension for Chrome, 
  
Open this link in your Chrome   browser: 
https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

  
Then proceed with the setup. 
 

Other suggestions, for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"
Check mark the line "Download history"
Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )
 

NEXT

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  

You should click to off the offer for “periodic scanning”.
 

Link to post
Share on other sites

Hello,

To clear up the confusion about the different devices I mentioned, I have only been talking about a singular infected device, my PC. I did also mention a non-infected mobile device which I mentioned at the end of my latest message stating I was going to start using that to reply on this thread instead of the infected PC (however I quickly realized I might as well just keep using the PC to post as I kinda need to be able to provide the text logs haha). So to be clear, there is only one infected device, my personal computer. Anyhow, let's get on to the important stuff.


I looked at the blog post you sent to me and I disabled notifications on Chrome as you suggested. I also downloaded the Malwarebytes extension you linked to me for Chrome. For good measure I did also try to disable notifications for Microsoft Edge even though I don't use it, but I did not find a way to do that. The blog post you linked to me said that for Microsoft Edge if I wished to disable notifications I would have to go into "Notifications & actions" in Windows settings and look under "Get notifications from these senders" and disable notifications for it there. However, in this setting it showed that no senders have even sent me notifications. So whatever I guess. The more concerning part was as I was clicking around trying to get into this setting I accidentally clicked on the "Focus Assist" tab and a warning appeared stating:

"The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application."

This was a repeatable error as well. Every time I attempt to go into Focus Assist I got this error. Besides that, concerning disabling notifications in the Windows settings again, I did also try to just completely disable notifications by unchecking the "Get notifications from apps and senders" button, but for some reason whenever I exited the system settings and looked back it would always be re-enabled. To test whether changes to other settings were being saved I tried to disable the "Night Light" setting which I had enabled previously a long time ago. When I looked back to check if it was re-enabled, it was. Kinda odd. Moving on though...


I downloaded the ESET Online Scanner as you requested and did the full scan. It detected two objects in total (log file included below of course). It found one thing in Unity Hub, not sure why something was there. I barely ever use Unity so I just let it delete it. The other thing it found seemed to be a remnant of the WebDiscover malware which was mostly removed by Malwarebytes as you can see in my previously sent log files. I'd also like to clarify that everything done in this post was done on Safe Mode with networking drivers enabled if that matters at all (Perhaps that is why my Windows settings I mentioned earlier were not saving?). Anyway, thanks for all your help so far! I will be patiently awaiting your next response :).

esetlog.txt

Link to post
Share on other sites

ESET scan found only 2 items  that were potentially unwanted types.   1 potentially unsafe application   +  1  potentially unwanted application

 

As to the blog article about "push ads",  I have looked at the Blog's directions &  into my own Edge options.   The article seems to be on target.

  • Click the Start button in Windows (Windows icon).
  • Select Settings (gear icon).
  • Select System.
  • Select Notifications & actions.
  • Scroll down and select Microsoft Edge in the list of senders.
  • Here, you set the switch for Notifications to Off

image.thumb.png.0e4564a490d5112ac618d95f738d7afe.png

 

[    2    ]

How is the overall situation now ?

Is there anything else you need ?     We can run more scans later, but first I do believe that the system needs to be in normal , regular Windows mode.

and

I also need a report from this machine in order to see all detail I need to guide you further.

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.

Download Malwarebytes Support Tool
    
    

 


    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.5.4.760.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you in advance.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello.

Thanks for the report file.   The Malwarebytes for Windows seems to be in a good state.

I am listing below 2 different scans that you may do as additional checkups.

[    1   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[    2    ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  

You should click to off the offer for “periodic scanning”.
 

Link to post
Share on other sites

When I get the time I will run the Windows Safety Scanner but I just wanted to mention we already went through using ESET. If there is another scan you recommend I will include that in my next report though! :)

 

Have a good day/night!

Link to post
Share on other sites

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.
The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.
Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

IF you wish a Full scan or a Custom scan, first click on the Settings
then you can select which drives you want to include in the scan.
The default is a Quick scan.
Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

Whe the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.
If you see an item that you know is safe, you can click the Action  , and select Ignore.
When all done & ready, click the Fix now button.

Link to post
Share on other sites

I completed scanning with both Microsoft Safety Scanner and TrendMicro HouseCall. Both scans came up clean, and I will leave the logs for the Microsoft Safety Scanner below. Didn't see a way to include logs from the TrendMicro HouseCall scan however.

I am also a little concerned with the text log I am including from the scan with Microsoft Safety Scanner because the scan results show errors for every item scanned. This makes me doubt whether the scan even was able to check anything. What do you think?

msert.log

Link to post
Share on other sites

The portions of the Safety Scanner that read "scan error resourceZ"   are not to be of concern.  They are typical of how the tool works & logs.

What counts for real is the result:

No infection found as part of the extended scan

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Sat Apr 18 23:19:20 2020

 

You also report that TrendMicro scan was all good,   That is all great.

We have reached the point where there are no infections on this machine.   Is there anything else that you need at this point?

 

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  
and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.
Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

Link to post
Share on other sites

Hello,

Thanks for all your help! If we can be absolutely sure that there is no malware left after all the scans we've done I suppose we can conclude this thread.

When I tried to download SecurityCheck, Windows Defender REALLY did not want me to download that. It thought it was the Wacatac Trojan and would immediately remove it from the downloads folder before I could even open it. Had to disable real-time protection for it to not get removed immediately. When I ran it I got the pop-up from SmartScreen like you mentioned, but when I clicked on "More Info" it still wouldn't let me run it because the "Run it anyway" button wouldn't appear! I was able to right click and go into properties on SecurityCheck and unblock it from there though.

Once again, thank you very much for your help. Here is the text log. It says Windows Defender is disabled because like I said before I had to disable it for the program to even download without getting deleted. I have of course re-enabled it after SecurityCheck finished. Then it immediately got rid of the program again haha.

SecurityCheck.txt

Link to post
Share on other sites

One more thing as well. Due to Defender removing SecurityCheck at first I did try to download it a couple times. In protection history it says it "blocked" these "severe" threats. If I click the drop down arrow for any one them it gives me the option to "Allow" but not to delete. This is kind of confusing because if I have the ability to allow the program, that means it is still on my computer somewhere. So if it is on my computer somewhere, why can I not also just delete it? Or does clicking the "Allow" button just let the program download without problem if I attempted to try in the future?

Link to post
Share on other sites

Be real cautious on those last bits about detection history of Windows Defender.  A lot of times, we cannot change the Action on a old detection.

and frankly, the blocking of SecurityCheck is way way off-base.  This security tool is from a known security developer.   The "reputation" checks which are somewhat generic do lead to false flagging.

I trust the SecurityCheck tool just as other computer security practioners do.

The tool is noting cautions about 2 utilities.   Chrome browser is a bit out of date.  Go into Chrome >> Settings >> Help >> About Google Chrome and let it do a Update.

Java versions are way old & can pose a security risk.

 

-------------------------------- [ Java ] ---------------------------------
Java SE Development Kit 8 Update 231 (64-bit) v.8.0.2310.11 Warning! This software is no longer supported. Please uninstall it

------------------------------ [ Browser ] -------------------------------
Google Chrome v.80.0.3987.163 Warning! Download Update

 

There is more detail on Java at the SecurityGarden Blog    https://securitygarden.blogspot.com/2020/04/oracle-java-se-jre-security-updates.html

Java is only needed if your pc happens to use apps that use Java.   Otherwise, Windows itself does not need it.  Nor do most usual consumers.

.

Your PC is good to go.  We have done a lot.  I am glad to have helped.  I am marking the case for closure.

 

Adwcleaner you may keep & use on-demand as needed.

Securitycheck.exe you may delete.

The ESET download file  esetonlinescanner_enu.exe   you should delete.

Delete mb-support-1.5.4.760.exe   on Downloads folder

Delete MSERT.exe

Delete mbst-grab-results.zip   on the Desktop.

Any other file I had you download, you may delete.

.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog 

http://securitygarden.blogspot.com/p/blog-page_7.html


Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.
All the very best to you.  Stay safe.

Sincerely,

Maurice

 

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.