Jump to content

Cleaning up a family member's machine


Recommended Posts

My daughter dropped off a PC at my place last night and using a number of tools, mostly MWB, uninstalling programs, etc. I got most of it cleaned out.

There are still notifications of Trojan and RiskWare via RTP Detection from files within C:\Program Files\WindowsApps.  Below are some examples:

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 5/22/20
Protection Event Time: 8:37 AM
Log File: 7299f418-9c31-11ea-b495-0c96e68219b2.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.920
Update Package Version: 1.0.24252
License: Trial

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\19215Crazy4Games.BulletForceMultiplayr_1.0.0.0_x64__v9qbjjvmtnvq4\app\App.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: Trojan
Domain: recode.pw
IP Address: 66.232.112.86
Port: 80
Type: Outbound
File: C:\Program Files\WindowsApps\19215Crazy4Games.BulletForceMultiplayr_1.0.0.0_x64__v9qbjjvmtnvq4\app\App.exe

(end)

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 5/22/20
Protection Event Time: 8:37 AM
Log File: 65996820-9c31-11ea-8550-0c96e68219b2.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.920
Update Package Version: 1.0.24252
License: Trial

-System Information-
OS: Windows 10 (Build 18362.836)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\WindowsApps\19215Crazy4Games.BulletForceMultiplayr_1.0.0.0_x64__v9qbjjvmtnvq4\app\App.exe, Blocked, -1, -1, 0.0.0

-Website Data-
Category: RiskWare
Domain: adskpak.com
IP Address: 50.28.0.84
Port: 80
Type: Outbound
File: C:\Program Files\WindowsApps\19215Crazy4Games.BulletForceMultiplayr_1.0.0.0_x64__v9qbjjvmtnvq4\app\App.exe

(end)

I've run farbar and generated the two .txt files and attached them here.

Thanks in advance for any help that can be offered to finish this cleanup.

FRST.txt Addition.txt

Link to post
Share on other sites

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

Please know I help here as a volunteer.  and that I am not on 24 x 7.

Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

.

Thank you for the FRST reports.

The real-time web protection of Malwarebytes has STOPPED any potential harm.   It stopped any connection to those 2 different domain addresses.

the message does NOT mean a "trojan" is on this box.   the booger is external.

If you notice, there are 2 different domains.   adskpak.com   'sounds' like mal-vertising.

The other is  recode.pw

.pw is the country code top-level domain for Palau. It was originally delegated to the Pacific island nation of Palau in 1997.[1] It has since been redelegated a number of times, most recently[when?] by Directi, a group of businesses operating registrars among other Internet-related services, who rebranded it as the Professional Web.

.

One would not normally expect to need to "visit"  either one.

.

Ask your daughter if she recalls just where she got  the game  Bullet Force Multiplayеr

That is the "app" at the root of the trigger for the block notices.

I would suggest you Uninstall  the Bullet Force Multiplayеr

.

NEXT

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

 

Link to post
Share on other sites

Thanks for the quick reply.  I asked her boyfriend about that app and he said it was something that he downloaded and installed, but told me it was OK to uninstall it if it was causing problems.  I've done that.

I ran ADWCleaner as part of my efforts last night and attached that log, in addition to running it again.  The second run detected some software that I installed last night, ran, then uninstalled when I was done with it.  I guess it didn't uninstall cleanly. 

Let me know if you think we need to do anything else.  Thanks.

AdwCleaner[C00].txt AdwCleaner[C01].txt

Link to post
Share on other sites

Thanks for the Adwcleaner reports.  Both of them worthwhile to have done.   Bravo.

There is more cleanups to do,plus later we will do a different scan or two.

 

This is a custom cleanup.

Please Close and Save any open work you may have open.
Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

This custom script is for  LLAFFER    only / for this machine only.
Close and save any open work files before starting this procedure. 

Please Close and save any open work files before you start this next step.  It may perhaps involve a Windows Restart at the end of it.
I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

.

NEXT

There is one setting in Malwarebytes that needs to be off.   So that the Microsoft Windows Defender is all enabled.   The Premium ( or trial ) protections of Malwarebytes will still be on.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close Malwarebytes when done.

We will do more, later.    What I would like to know at this point,  Have the Block notices stopped ?

 

Fixlist.txt

Link to post
Share on other sites

I ran the script and attached the output log from that run. 

I checked for additional blocks and there were several.  I exported the last several and attached them in a .zip as well.

While I was typing this I saw multiple blocked messages popup and then start playing an audio commercial.  The messages state Skype, which I didn't even know was installed, and Volume Mixer shows that the audio is being played from Skype as well.  For now I've muted Skype just so the audio would stop, but they are continually playing now.  The latest 3 blocks are 9, 10, and 11 in the .zip.

Another thing that happened was without any input from me, the Microsoft Store seemed to popup on its own with a game already selected for download.  This happened last night too.

Blocked logs.zip Fixlog.txt

Link to post
Share on other sites

Good morning.   I hope you are doing well,  and enjoying the week-end.

 

Thank you for the reports.  As to the Block events,  the real-time web protection of the Trial Malwarebytes  ( same protections as in Premium) has STOPPED any potential harm.

The notices are courtesy notices to let you know the program is protecting the system.

It seems the blocks are related to "malvertising".   Here is a resource that has additional information on malvertising

https://www.malwarebytes.com/malvertising/

.

We will later on run a few additional scans to keep checking the system.    At this point though, I would like to have you run a new custom script to remove "TypeMinopa" off this machine, which is a malvertising.

Please delete the previous "Fixlist.txt"  that I had you save before.   I am attaching a new FIXLIST.txt  here with this reply.

This custom script is for  LLAFFER    only / for this machine only.
Close and save any open work files before starting this procedure. 

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

.

[   2   ]

At this point, a different tool to scan the pc for viruses & other malware  ( if any ).

Do not click on the small popup mini-window that shows up.   Look for the green color button that says "Download Dr.Web CureIt"  with the down-arrow icon

image.png.89e510f058b59b38d7abd400ffb3f917.png

 

Download Dr.Web CureIt to the desktop. 
The download is nearly 208  MB in size

 

After the download is completed, then close the browser and all other web browsers too.

Use the Windows File Explorer to go to the Downloads folder.

 

doubleclick on  the download file file to start the tool.     ( drweb will randomize the name of the file when you download it )

 


⦁    You will see a screen similar to this:

drweb-1.jpg.d19c089d11f5b87d91965b11ad62ca17.jpg


 
Click the checkbox to participate, and then click on Continue button.

 


⦁    Next

drweb-2.jpg.d5bdb76dc769a35fe9b643c90dddb7b0.jpg


 
Click on Select objects for scanning
⦁    Next

drweb-3.jpg.2b2fa047cb9a0e7fcbdd5c69a73fa694.jpg
 
Put a checkmark by clicking on all the boxes    EXCEPT for

"Temporary files"

"System restore points"


Do not select Temporary files or System Restore points.


Then click on Start scanning button

⦁    The scan in progress will be shown like this

 

drweb-4.jpg.6f5db8bfbc2db1162e72a626053fe62a.jpg


⦁    IF something is detected, you will see a screen similar to this

 

image.png.75d975285e7cd0b1ea4d39b61fca8f9a.png


 
For each item "detected", click on the Action column down arrow, like this
 

image.png.5c1e515f37a43ca9a954c0ee5f4b0f4c.png

Your options will be Cure or Ignore

IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
Typically, you will keep the Cure default.

Then click on the Neutralize button.

 

⦁    When the actions are completed, you will see this

image.png.248b34e853c772318a415fb88ef452b4.png


 
⦁    Click on the green Open Report line. It will pop-up the report in NOTEPAD.
Save the report to your desktop. The report will be called Cureit.log
⦁    Close Dr.Web Cureit. 
⦁    Reboot your computer to allow files that were in use to be moved/deleted during reboot. 
⦁    After reboot, attach the log Cureit.log you saved previously in your next reply. 

 

Have patience in all this. 

 

Fixlist.txt

Link to post
Share on other sites

Thanks.  I ran the script and rebooted, then downloaded the new scanner and that's running now.  Though I don't think the additions to the hosts file were applied.  the log said it couldn't find the hosts file in the two "attrib" steps, so my thoughts are that this created a new hosts file somewhere where it won't take effect.  The time stamp of the hosts file was last night and when I opened it, it didn't have the new entries.  So I'm not sure what happened to the attempts to add new records.

I'll post the logs when the scan/cleans are done.  Thanks, again!

Link to post
Share on other sites

OK,  Thank you for the reports.

Just one other scan with ESET.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Link to post
Share on other sites

While that scan is still running, I've noticed that many of the scanners are not happy with the various IOBit software that I've installed and cleaned up left-over files after I've uninstalled them.

Is there a recommended set of system cleanup tools such as hard disk fragmentation, etc.

Thanks.  I'll post the logs when the scan is complete.

Link to post
Share on other sites

Just so you know,   I do not recommend "Iobit".

If you are wanting to consider disk defragging   ( only if you have the 'standard'  disk drive ......   and NOT a modern SSD   ( solid state)....

then you may consider the one named Defraggler  that originated by Piriform    ( now I believe is part of the empire of AVG / Avast/ CCleaner)

This is the download link for the free   https://www.ccleaner.com/defraggler/download/standard

Link to post
Share on other sites

Thanks. I'll give that a try.  The scan is still running, but I think it's almost done.  Up to 234,000 files checked and found 3 objects.  I don't think other scans showed much more than about 250,000 files on it, but I didn't make an effort to check, either.  Will reply again with logs when done.

Link to post
Share on other sites

Thanks  for the ESET scan report.  I believe this pc should be good to go.  Lets just do one new scan with Malwarebytes.

Please do a new Scan on this machine, using Malwarebytes for Windows.

To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Have patience during the run.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

.

This next tool you can use to check this machine    ( and other machines at your home)  it is from Microsoft.

You can check this system using another free tool at Microsoft.  For another opinion.

The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

take a minute to locate & then send the log that it made, named msert.log

It should be at C:\Windows\debug\msert.log

 

NOTE:   Malwarebytes for Windows you know.   By now, you know Adwcleaner   ( to check for adwares).

The tool above by Microsoft is another tool.   Beyond that, use the Microsoft Windows Defender that is built into Windows 10.

Link to post
Share on other sites

The scan report from Malwarebytes for windows is perfect.

The "block" reports seem to be ones from the 23rd.    Look at the Windows scheduled tasks to see if any are set to auto-start Skype.

 

The old blocks look like they are flagged due to malvertising.

 

I have had you run a battery of other scans before.   Let us do one scan with    TrendMicro HouseCall 

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Link to post
Share on other sites

I've had you run several scan tools so far.   As I recall, including Malwarebytes for Windows,

Adwcleaner,

DR.Web Cure-It

ESET Online scanner

TrendMicro Housecall

Microsoft Safety Scanner.

Any website or I.P.  blocks by the Malwarebytes real-time web protection mean that any potential threat was stopped.   It is protecting your machine.

.

For Your Information: 

 

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm. 

A block notice is an advisory of the "block". 

 

It  indicates that a potential risk was blocked by the malicious website protection.  

The Malwarebytes web protection, by default, will always show each  block occurrence. 

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC. 

 

 

Incoming block notice can be ignored, the Malwarebytes real-time Premium protection is blocking the threat and there is nothing more that can be done. 

On Outbound blocks, any attempted connection was stopped. 

 

Edited by Maurice Naggar
Link to post
Share on other sites

Thanks.  I'll clean up some of the log files that I've left behind and prepare it for return to them. 

I don't think that she's currently willing to pay for MWB once the free-trial ends.  what would happen with those hits that are getting blocked currently once this trial completes?

Thanks.

Link to post
Share on other sites

Hello.

The trial mode ends after 14 days after the install.   Do all that you can to beef up the web browsers.  Be sure all applications have security updates.

.

   

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.  

Scroll down to the tips section "How do I disable them".  

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.  

To get & install the Malwarebytes Browser Guard extension for Chrome,  

   

Open this link in your Chrome   browser:  

   

Then proceed with the setup.  

  

. 

If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.  

Open this link in your Firefox browser:     

Then proceed with the setup.  

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down. 

.

For Windows 10 machines, you may consider beefing up the Windows Defender  by turning on some additional options.

https://www.bleepingcomputer.com/news/microsoft/windows-10-defenders-hidden-features-revealed-by-this-free-tool/

.

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article
"How to Enable Your Wireless Router's Built-in Firewall"
https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

 

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

 

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

 

Link to post
Share on other sites

Cleanups for tools I had you use:

To remove the FRST64 tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

.

You may delete the DR.Web CureIt download

You may delete the ESET download file  esetonlinescanner_enu.exe

You should delete msert.exe

Adwcleaner you may keep and use on-demand as needed to check for adwares.

.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. 

 

Best  practices & malware prevention: 
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. 
First rule of internet safety: slow down & think before you "click". 

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). 

 
Free games & free programs are like "candy". We do not accept them from "strangers". 

 
Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. 
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. 
 
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. 
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". 
 
Use a Standard user account rather than an administrator-rights account when "surfing" the web. 
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html 
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet. 
 
 
Do a Windows Update. 
 
Make certain that Automatic Updates is enabled. 
https://support.microsoft.com/en-us/help/12373/windows-update-faq 

 
 
 
Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. 
 
For other added tips, read "10 easy ways to prevent malware infection" 

. 

I do wish you all the best.  Stay Safe.

Sincerely,

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.