Jump to content
blanco

Malwarebytes is blocking a trojan from every minute

Recommended Posts

Recently I suffered an attack on my PC.

I ran windows defender (the default option in Windows 10) and it identified a Trojan. 

This attack among other things, deleted a bunch of my files.

I decided to try malwarebytes and it quarantined a bunch of files.

However, I am constantly receiving notifications every minute about a website that malwarebytes is blocking time and time again.

I am uploading a screenshot of this notification.

What should I do to fix this? 

An unrelated question would be, can a trojan read pictures and identify words on a picture?

Thanks!

Screenshot (2942).png

Share this post


Link to post
Share on other sites
Hello blanco and welcome to malwarebyte....

Continue with the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

Share this post


Link to post
Share on other sites

Thanks @kevinf80 I just did the Malwarebytes scan.

I actually did 2. In the first one it identified 7 trojans, it asked me to restart the laptop but it froze when restarting. I pressed the power button and it turned off. Then I turned it back on. I saved the text file and then I did another scan with no malware identified. I will attach the 2 text files. 

report with 7 founds.txt report with no issues.txt

Share this post


Link to post
Share on other sites

Hello again @kevinf80

I just did the second step with AdwCleaner. When it was restarting it showed me an error. I included 2 photos showing the error.

I found the logs location in the logs tag inside the program, there were 3 files. 2 text and 1 named scanInfo. 

I am not sure the preinstalled software should be removed, next to my battery icon when clicking the arrow there are now 2 icons (Malwarebytes and Nvidia) and before this there were a bunch of them. I am also including 2 screenshots with information about the preinstalled files. 

Should I restore those preinstalled files? they are currently kept under quarantine by this program.

problem restarting1.JPG

problem restarting2.JPG

preinstalled1.png

preinstalled2.png

AdwCleaner[C00].txt AdwCleaner[S00].txt

Share this post


Link to post
Share on other sites

I just did the last step @kevinf80

Besides the normal warning from Windows when running Farbar I also had to disable the ransomware protection from Malwarebytes so it could run, and enabled it back when it was done. These are the 2 text files it created. Thank you very much for your help and attention. Any recommendation about what should I do next?

 

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

I just did the last step @kevinf80

Besides the normal warning from Windows when running Farbar I also had to disable the ransomware protection from Malwarebytes so it could run, and enabled it back when it was done. These are the 2 text files it created. Thank you very much for your help and attention. Any recommendation about what should I do next?

 

Share this post


Link to post
Share on other sites

Thanks for those logs blanco, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs in your next reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin..
 

fixlist.txt

Share this post


Link to post
Share on other sites

Here is the Fixlog text file @kevinf80

The PC is browsing the internet very slow now. Why is that? The search hystory was also deleted but I really wonder why it is slower? 

There is also a yellow symbol above the security icon next to the battery, I am uploading a screenshot. But when right clicking it it doesn't open. Those symbols are normal but they were removed after running the adwcleaner. I haven't restore them but now they reappeared?

Screenshot (2953).png

Fixlog.txt

Share this post


Link to post
Share on other sites

I restarted the laptop and now it has its normal speed again. The yellow icon is now green again.

I will now proceed with the last step using sophos.

Share this post


Link to post
Share on other sites

Sophos is currently unavailable @kevinf80 I am uploading a screenshot of the message I am seeing. I already created my account in their website but I am not able to download the tool.

Regarding the preinstalled files that were quarantined by adwcleaner, should I restore them? I uploaded some screenshots when sharing that information in a previous message and they seemed like important files.

Screenshot (2954).png

Share this post


Link to post
Share on other sites

Also @kevinf80, I started this post with the issue of the constant notification from a Trojan according to malwarebytes. This notification stopped today before doing any of the steps from this post. I don't know why it stopped but that's good. 

Could you give me some information about what risky files have you seen on the logs? 

I will do the sophos step as soon as their website allows the download.

Share this post


Link to post
Share on other sites
Posted (edited)

Hello blanco,

Do not reinstall anything related to Lavasoft to include web companion, have a read at the following link:

https://appuals.com/what-is-lavasoft-web-companion-and-should-it-be-removed/

FRST fix did not remove anything suspicious, it was a basic clean up of orphan system files, many unwanted temp files etc etc. You will note that 5.6 gb of data was removed making that scan was just extra disk space available to you.

You earlier posted two scan logs from Malwarebytes, the first showing removal of the unwanted Trojan. The latter log was clean, meaning no return of malicious entries.

The Sophos scan was to double check your sytem is definitely clean.. Leave Sophos and run the following:

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
thanks,
 
Kevin
Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

Hi @kevinf80 the link to the microsoft tool doesn't provide any download link. I looked for it on google and found this link https://www.microsoft.com/en-us/download/details.aspx?id=9905 , is that the tool I should download?

A previous question about one of the tools I used earlier is about the preinstalled files that were quarantined by adwcleaner, should I restore them? I uploaded some screenshots when sharing that information in a previous message and they seemed like important files.

Do you know if a trojan can read pictures and identify words on a picture? or share a picture with a hacker?

Thanks!

Share this post


Link to post
Share on other sites

Try this link for MRST https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Any entries AdwCleaner removed relating to Lavasoft and Web Companion should not be replaced, the rest from Dell are bloatware that come preinstalled, I would not replace them, if you believe you need and use them then make that decision yourself....

Share this post


Link to post
Share on other sites

Ok @kevinf80 I am attaching the text file. It didn't find anything.

I also saw this in the microsoft website https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download I am thinking in using that tool as well. What do you think?

Also, after doing all of this do you think I should format the laptop or should it be clean now?

Thanks!

mrt.log

Share this post


Link to post
Share on other sites

Hello blanco,

Yes run that tool from microsoft, see what it finds..?

Regarding format and reinstall, that is really up to you. If your system is currently behaving as expected with no remaining issues or concerns I would not bother

Let me know if that scan you mention finds anything..

Thanks,

Kevin

Share this post


Link to post
Share on other sites

Hello @kevinf80 the other Microsoft software didn't find anything. I suppose the laptop should be clean now.

I did have an issue yesterday's mornig while restarting, it showed me a blue screen that I haven't seen before. The laptop has been running fine since then. I hope that was a one time issue but I don't know what caused it. 

IMG_9462.JPG

Share this post


Link to post
Share on other sites

Hello blanco,

Kernel Security Check Failure means that one or possibly several files failed a compatibility or integrity check, this can happen for several different reasons, run the following commands and let me know the findings...

Open elevated command prompt, https://www.bleepingcomputer.com/tutorials/how-to-open-a-windows-10-elevated-command-prompt/

Type or copy/paste the following commands and hit on each one..

CHKDSK X: /F (Replace X with your OS letter usually C

DISM /Online /Cleanup-Image /RestoreHealth

SFC /SCANNOW
 
Thanks,
Kevin..

Share this post


Link to post
Share on other sites

Thanks @kevinf80 I am uploading a screenshot. Should I also upload one or both of the log files mentioned in the last part of the screenshot?

I don't know why the first step could not been run, I am not sure what is that "other process" mentioned by the command in the first step. I wrote "n" because I am not sure if I should run that command later on.

I also don't know why the second step said "restore operation completed succesfully" and then the third and last step said there were some corrupt files that have been repaired. 

Screenshot (2962).png

Share this post


Link to post
Share on other sites

Hello blanco,

CHKDSK can only run when your system is not in use, that is at boot before your system loads. Hence that command always asks to schedule the fix next time your system boots..

Have you experienced anymore BSOD...?

Share this post


Link to post
Share on other sites

Ok @kevinf80 so I should write "y" instead of "n" when running the first command.

I haven't encounter the BSOD again. It was only that time about 2 days ago. I have been using the laptop as usual since then with no issues. 

Share this post


Link to post
Share on other sites

Helo blanco,

There is no need to run check disk if your system is now behaving normally... Contine to clean up:

Right click on FRST here: C:\Users\gaboh\Downloads\Software\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

Share this post


Link to post
Share on other sites

Hello @kevinf80 I think I might have made a mistake because I deleted the FRST64.exe file manually. Should I download it again and continue with that step?

 

 

Share this post


Link to post
Share on other sites

And should I continue to apply the following steps or redownload the frst64 file first @kevinf80 ?

The disk cleanup utility is something that I use frequently. The restore points is new for me. 

Share this post


Link to post
Share on other sites

Yes you will have to download again, then rename and continue. Continue with the rest of the instructions after that...;)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.