Jump to content

Recommended Posts

Today I noticed that my child's computer was infected by delmamora pro and moshemartin pro. It appeared as a random popup on restart and notifications that my subscription to Macafee had expired (Macafee is not installed). So, I ran Malwarebytes Pro and it found nothing. In searching these forums I came across this article which included a few scanners they had tried. There I found reference to AdwareCleaner and being as I had success with it long ago I decided to try it again. After a quick google search I was surprised to find it was purchased by Malwarebytes in 2016 and may one day become integrated into Malwarebytes Pro, see this old thread from Sept 2018.

So, my questions are:

1) Do my attached logs look clean?

2) Has there been any update as to when AdwCleaner's detection algorithms will be integrated into Malwarebytes Pro? If it isn't going to happen anytime soon at least make AdwCleaner accessible via the Malwarebytes Pro menu as I am sure I am not the only person who had no idea that to get all the protection Malwarebyes offers I needed to run something other than Pro.

thanks for reading...

mbst-grab-results.zip

Link to post
Share on other sites

Greetings,

To address the infection, please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats.

With regards to integrating ADWCleaner, it has been a long time since integrating it into Malwarebytes was discussed publicly, so my suspicion is that they either intend to keep it separate for the foreseeable future, or it is a lower priority feature and the Developers may have been occupied with other projects.

Link to post
Share on other sites

Hello @flew-d-coop 

I am curious as to the positioning ( the presentation ) of the bogus notice "windows"  about McAfee !  Was that by any chance a small window positioned at the bottom right of the screen ?

IF yes, then .....

See this article on the Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

Edited by AdvancedSetup
added additional information
Link to post
Share on other sites

  • Root Admin

Hello @flew-d-coop and :welcome:

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

3 hours ago, exile360 said:

Greetings,

To address the infection, please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats.

With regards to integrating ADWCleaner, it has been a long time since integrating it into Malwarebytes was discussed publicly, so my suspicion is that they either intend to keep it separate for the foreseeable future, or it is a lower priority feature and the Developers may have been occupied with other projects.

I've looked at the instructions in this topic and I believe everything that was asked for is included within the zip file I attached in my original post. Do I really need to create another topic under Windows Malware Removal Help & Support or would this post suffice as it is under Windows Malware Removal Help & Support?

I am running another scan and will attach the results shortly.

Link to post
Share on other sites

1 hour ago, Maurice Naggar said:

Hello @flew-d-coop 

I am curious as to the positioning ( the presentation ) of the bogus notice "windows"  about McAfee !  Was that by any chance a small window positioned at the bottom right of the screen ?

IF yes, then .....

See this article on the Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "pu

4 minutes ago, flew-d-coop said:

I've looked at the instructions in this topic and I believe everything that was asked for is included within the zip file I attached in my original post. Do I really need to create another topic under Windows Malware Removal Help & Support or would this post suffice as it is under Windows Malware Removal Help & Support?

I am running another scan and will attach the results shortly. 

sh ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

Yes, I learned about www1a.delmamora.pro and www1a.moshemartin.pro via the notification below. I will need to read up on your provide links about push notification and decide if they all should be disabled. In the meantime, I will just make sure I let my son know not to click on them.

image.png.6cd01d050629057f13fbb6bffcd12c9c.png

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

Hello @flew-d-coop and :welcome:

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

STEP 01

I ran Malwarebytes Pro a second time but it once again reported nothing found. 

STEP 02

Likewise AdwCleaner did not find anything additional the second time it was run

STEP 03

I believe the newly attached output from Malwarebytes Support Tool Version 1.6.2.802 include the logs you requested .

 

mbst-grab-results.zip

Link to post
Share on other sites

  • Root Admin

The main issue or complaint is due to the Google Chrome setting listed here.

 

CHR Notifications: Default -> hxxps://www1a.delmarmora.pro; hxxps://www1d.moshemartin.pro

That setting tells Chrome to allow these sites to push anything they want to the desktop such as Ads, Alerts, good or bad. Highly recommended to remove.

If you want to go through and extensively clean up Google Chrome we have the following article to assist.

https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/

 

I do not see any obvious infections on the computer. I have listed some recommendations below as well as a generic clean up script you can run if wanted.

 

7 hours ago, flew-d-coop said:

Today I noticed that my child's computer was infected by delmamora pro and moshemartin pro. It appeared as a random popup on restart and notifications that my subscription to Macafee had expired (Macafee is not installed). So, I ran Malwarebytes Pro and it found nothing. In searching these forums I came across this article which included a few scanners they had tried. There I found reference to AdwareCleaner and being as I had success with it long ago I decided to try it again. After a quick google search I was surprised to find it was purchased by Malwarebytes in 2016 and may one day become integrated into Malwarebytes Pro, see this old thread from Sept 2018.

So, my questions are:

1) Do my attached logs look clean?

2) Has there been any update as to when AdwCleaner's detection algorithms will be integrated into Malwarebytes Pro? If it isn't going to happen anytime soon at least make AdwCleaner accessible via the Malwarebytes Pro menu as I am sure I am not the only person who had no idea that to get all the protection Malwarebyes offers I needed to run something other than Pro.

thanks for reading...

1. Some minor things to review below

2. Yes, it is on the roadmap to be integrated but due to various issues, it has stalled off and on. Eventually, that is still the plan, but there are still some issues to be resolved internally before that happens so I don't have any valid time frame for that to happen.

 

 

The system is running CCleaner which most Experts no longer recommend using since it was sold out a few years ago. The choice is yours though.
The computer has an old compromised version of Java on it. I would recommend if at all possible to not use Java but if you really have to have it then always uninstall older versions and keep it up to date at all times https://java.com 
 

The following Firewall blocks are in place. I'm not saying they should be unblocked, just making you aware they are in place is all.

FirewallRules: [UDP Query User{29C113FF-325C-431F-9567-3239745AD117}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Block) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe (Epic Games Inc. -> Epic Games, Inc.)
FirewallRules: [TCP Query User{16686DF9-FA6C-4C9E-B3F3-40E5BF683483}C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe] => (Block) C:\program files (x86)\epic games\launcher\portal\binaries\win64\epicgameslauncher.exe (Epic Games Inc. -> Epic Games, Inc.)
FirewallRules: [TCP Query User{01B6935C-79CE-4551-8A1A-DE82258F6328}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.147\deploy\leagueclient.exe] => (Block) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.147\deploy\leagueclient.exe (Riot Games, Inc. -> )
FirewallRules: [UDP Query User{5EFBEF61-64DB-46D9-96C4-9D4375C3AB76}C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.147\deploy\leagueclient.exe] => (Block) C:\riot games\league of legends\rads\projects\league_client\releases\0.0.0.147\deploy\leagueclient.exe (Riot Games, Inc. -> )
FirewallRules: [TCP Query User{1B40A136-9EA0-4D33-82B0-5E4DD0D54095}C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe] => (Block) C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe (Hirez Studios, Inc.) [File not signed]
FirewallRules: [UDP Query User{E2403CA1-FB02-44F2-BDD1-398D06763AF3}C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe] => (Block) C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe (Hirez Studios, Inc.) [File not signed]
FirewallRules: [TCP Query User{521EB2F2-7508-43EB-B5B5-54CDB62E0C0C}C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe] => (Block) C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe (Hirez Studios, Inc.) [File not signed]
FirewallRules: [UDP Query User{BCF61E38-12B0-47F1-AE52-E4F174FCE8E3}C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe] => (Block) C:\program files\epic games\fortnite\fortnitegame\paladins\binaries\win64\paladins.exe (Hirez Studios, Inc.) [File not signed]

 

The Dell Digital Delivery service is crashing. Normally when there are Software deals offered with the purchase of a new computer Dell will use this method to allow you to download the software once your computer is setup. You may want to verify that any wanted software has been downloaded and saved and then if wanted you could turn this off. If you still want or need it then you should investigate why it's crashing.

Error: (07/23/2020 03:18:13 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: DeliveryService.exe, version: 3.5.2013.0, time stamp: 0x5d025c33
Faulting module name: KERNELBASE.dll, version: 10.0.18362.959, time stamp: 0x51671cfe
Exception code: 0xe0434352
Fault offset: 0x001143d2
Faulting process id: 0xf78
Faulting application start time: 0x01d66125ff273f42
Faulting application path: C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe
Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll
Report Id: dc927f9c-f54b-4e96-ac36-523863027fd5
Faulting package full name:
Faulting package-relative application ID:

Error: (07/23/2020 03:18:10 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: DeliveryService.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.IO.FileNotFoundException
   at Dell.ClientFulfillmentService.ClientFulfillmentService.RetrieveAppConfig()
   at Dell.ClientFulfillmentService.ClientFulfillmentService.ProcessAppConfig()
   at Dell.ClientFulfillmentService.ClientFulfillmentService.InitializeService(System.Object)
   at System.Threading.TimerQueueTimer.CallCallbackInContext(System.Object)
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.TimerQueueTimer.CallCallback()
   at System.Threading.TimerQueueTimer.Fire()
   at System.Threading.TimerQueue.FireNextTimers()
   at System.Threading.TimerQueue.AppDomainTimerCallback(Int32)

 

There are some other issues when services are loading. This could be due to the software itself having an issue or possibly one or more security applications are blocking it or interfering with it.

System errors:
=============
Error: (07/23/2020 03:21:25 PM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: The Update Orchestrator Service service hung on starting.

Error: (07/23/2020 03:18:41 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Dell Digital Delivery Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/23/2020 03:14:46 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Origin Web Helper Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (07/23/2020 03:14:46 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (45000 milliseconds) while waiting for the Origin Web Helper Service service to connect.

Error: (07/23/2020 10:01:50 AM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Dell Digital Delivery Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (07/23/2020 10:00:18 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Dell Help & Support service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (07/23/2020 10:00:18 AM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Dell Help & Support service to connect.

Error: (07/23/2020 09:57:41 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Origin Web Helper Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

 

The version of AdwCleaner had some issues with hangs that have been corrected in the latest 8.0.7 version available now.

 

I would recommend you manually double-check and verify this is a valid Dell scheduled task and it's doing something worthwhile on the system
C:\WINDOWS\Tasks\RunDLC.job => cmd c sc start Dell Help SupportJR_NETWORK ELISA

 

 

 

GENERIC CLEAN UP SCRIPT

Make sure you fully disable Avast and exit out of Malwarebytes when running this fix.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks


 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Root Admin

Thank you @flew-d-coop

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites

9 hours ago, AdvancedSetup said:

Thank you @flew-d-coop

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Thanks, here are the results from that log to review.


--------------------------- [ OtherUtilities ] ----------------------------
Dell SupportAssist v.1.1.6664.93 Warning! Download Update

Microsoft Office Standard 2010 v.14.0.7015.1000 Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice


--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 31 NPAPI v.31.0.0.108 Warning! Download Update
Adobe Flash Player 31 PPAPI v.31.0.0.108 Warning! Download Update


------------------------------- [ Browser ] -------------------------------

Brave v.0.17.13 Warning! Download Update

SafeZone Stable 1.48.2066.114 v.1.48.2066.114 Warning! This software is no longer supported.

 

 

Is there anything else we can assist you with before closing up here?

 

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Excellent. Very glad we were able to assist you.

I will go ahead and close your topic and leave  you a link with information to help you better protect you computer data and privacy going forward. No rush to read or do everything simply bookmark the link and as you have time read and review the information.

Take care and stay safe out there and have a good week

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.