Jump to content

Recommended Posts

Let's start from here, I am a very stupid person and decided to download game cheats to play with my friends. When I decided to remove the cheat from my computer, I clicked on this: remove, cleaned the recycle bin and it reappeared some time later. I scanned it with malwarebytes free premium trial. It showed, that osiris.dll (name of cheat) is Malware.Al2017645145. I sent it to quarantine, but some time later it REAPPEARED AGAIN. I am scared of losing my private data or harm my computer. Does anyone have a solution for that? I would be very happy and thankful 

Link to post
Share on other sites

Hello @Infernus .    :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

We need to see where the suspect file is, as well as other details.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    


    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.2.802.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

 

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,
Sincerely.

Link to post
Share on other sites

Please do all you can to remain steady & calm.  I am going to be guiding you along.  Follow my lead.

If you have questions, Ask me first.   But do not jump and do things on your own.

If you have lots of browser tabs open,  close as many of them as you can.   Close those you do not need.

Close and exit all game programs.   Close and exit all messenger type programs.

 

I notice that this pc has 3 antivirus programs installed  ( and that is not counting the Windows Defender / Microsoft Antivirus that comes with Windows 10).

You need to uninstall AVG  and Avast antivirus.   This pc looks to have the BitDefender antivirus installed and running.

.

We are going to start with a custom script to get the Osiris.dll off the desktop  and to do a mini-cleanup of temporary files.

 

But first, one procedure to be sure that the system is set to show All folders, including any hidden ones

Dot not let the details or number of lines below spook you, please. It is all do-able and needed. 
Just take your time. 
 

Windows File Explorer needs to be  set to show ALL  folders, all system files,  etc  including hidden files / folders 

Open Windows File Explorer. 

  • Select View   from its top menu bar  >   click Options  on the icon at the far right-side > Change folder and search options   ( from the drop down ). 

  • on the next multi-tab mini-window 

  • Select the View tab and, in Advanced settings 

  • select Show hidden files, folders, and drives 

  • and OK. 

 

[    2   ]

 

This custom script is for  Infernus  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

We will do more after this.   Thanks in advance for your patience.

Fixlist.txt

Link to post
Share on other sites

That is fine.   Good.   Lets proceed and do what follows.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

 

Link to post
Share on other sites

That is an excellent result.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the top left side of the page.  Click One-time Scan

It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Link to post
Share on other sites

Lets wait for the completion of the ESET scan.   Meantime I need for you to Close and Exit out of all web browsers.

Please Exit all game programs, if any are open.

Please close all Instant messenger programs, if any are running

You keep reporting that "osiris" pops up  & that has me concerned.    Need to re-double efforts to tighten up this system.

Do not do any downloads on your own.  Do not do any web surfing of any sort.

Link to post
Share on other sites

The scan by ESET found zero threats.   This is the content of the ESET run log.

07.07.2020 14:11:45
Scanned files: 864002
Files detected: 0
Files cleaned: 0
Total scan time: 02:18:22
Scan Status: Finished

.

As a one time run, here is what I suggest next.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
 

 

Link to post
Share on other sites

Hello!

Scan completed, didn't find anything, I am attaching the log. :) And, I'm happy to say, that virus doesn't reappeared for about 2 hours. But I'm not convinced, that my computer is now completely safe. 

Virus doesn't reappeared maybe because:

When osiris reappeared I opened Process Explorer and type the "Osiris" in Find handle or Dlls. explorer.exe showed up running Osiris.dll. I Taskkilled it, whole screen turned white, I clicked: Ctrl Alt Delete and opened new task "explorer". Then I deleted osiris, and this still doesn't showed up.

I am attaching the log here :)

system-log.txt

Link to post
Share on other sites

I need to ask if you have been using web browser (s)  and have been doing web surfing ?

If so,  how many different sites ?   Using which web browser ?

You sent me one log.  I need you to find & then attach the one with the name mbar-log-2020-07-07

Link to post
Share on other sites

The result from the MBAR anti-rootkit scan is all good.  I would like for you to do all that follows.  Just take your time / do not rush.

and when you go to start Chrome, only start it from the entry on the Windows 10 Start menu.   Do not use the shortcut off of the taskbar or any other shortcut such as one on the desktop.   It is possible perhaps that one of those shortcut links is problematic.

I want to be sure that Chrome is free of malvertising  ( ie, malicious adwares).   I also want to be sure that Chrome is "beefed up".  Meaning more secure.

I would suggest what follows below.

[   1   ]

Set the Chrome  Google   "sync"  to OFF.

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.bfcbff4c25a7a1a131de4b71555efd0c.png

 

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

[   6    ]

I would like you to do a search to see if there may be any traces of some 'thing' called osiris.

You have the FRSTENGLISH  tool on the Downloads folder.   We will use that to do a search.

Find then start FRSTENGLISH
Type the following ( better yet, use COPY  then Paste)   into the search box exactly as show then press the Search Files button 
 

SearchAll: osiris


 
Please wait while the program searches for all entries relating to this program, when done a  search.txt    log will be saved to the desktop. Please attach this log to your next reply. 

Thanks for your patience.

Link to post
Share on other sites

This search found "no" traces of some thing named "osiris" as a file,  a folder, nor "registry" trace.

Nada.  zero.

To this point, I would remind us that the ESET online scanner reported no virus / no malware.

The Malwarebytes anti-rootkit tool found no rootkit / no malware.

There is a little bit of housekeeping cleanup to remove 2 trace leftovers of AVG / Avast.  Actually, there are a large number of AVG & Avast drivers left on the system.   This pc does have Bitdefender.   So these AVG & Avast drivers make for potential conflicts & interference.

.

Delete the prior copy of Fixlist.txt   that I had you save.   I am attaching a new one.

This custom script is for  Infernus  only / for this machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.