Jump to content

Am I Infected?

ridgeman

By ridgeman
in Resolved Malware Removal Logs

 Share

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

The log report  from Malwarebytes  you sent is an old one from May.

 

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Sincerely,

Maurice

Link to post
Share on other sites
ridgeman

ridgeman

Posted
  • Author
Posted

Hello Maurice, my name is Peter. The MB's report I sent is NOT old, it is from yesterday. I mentioned that the dates on the reports are wrong when I open them up. The dates are correct in the summary view but not when I view the individual reports. Also, downloaded the .exe file and my computer won't let it run. I keep getting the message, "This program is blocked by group policy. For more information contact your system administrator." I tried right clicking and running as administrator, same result. Oh and BTW, I am the administrator, small one man office here.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Sorry to hear about these extra troubles.  Henceforth, please be very sure to guide the downloads that I have you do to eitehr the Downloads folder or to the desktop,  or to where I specifically ask to save.

You happen to have let the system save the FRST64 tool to a temp folder  C:\Users\Ridge Roofing\Documents\Current Data\temp

I need for you to  go to that folder then to do a right-click on FRST64  and select RENAME   and rename that to 

gazork.exe

and then  Copy the gazork  from there to the DESKTOP.

We will use the renamed gazork file  so that we can do special runs with that.   This is a first step to start with so we can over-come the entries that block a lot of things from running.

.

( if you cannot do that then RIGHT-click on this link  & on the browser options that show, select "SAVE AS"   & guide it to the Desktop folder  & also change the name in the white box to 

gazork.exe

and then press Enter-key  and watch for the save to complete.) .

.

At this point here, we should have gazork on the Desktop.

.

Just to be very safe, please do not do any shopping online, banking, or anything to do with money until after this case is Closed.

Do not do any web surfing or use social media apps, or instant messengers until after this case is Closed.

There are a very large number of very suspicious settings on this PC  at this point  that look like they are designed to prevent anything from running..

There are also 2 very suspicious EXE files on the Documents folder that have multiple tasks  ( repeating tasks) to run those EXE files.

It is not normal to have executable programs running out of the Documents folder;  nor to have them set many times as automatic pc tasks.

We will need to do much more after this first pass.    Much patience is needed  & also to do things carefully, please.

.

The system will be rebooted after the script has run.

.

This custom script is for  Ridgeman  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the gazork  (FRST64 )   tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the DESKTOP folder

Start the Windows Explorer and then, to Desktop folder


RIGHT click on  gazork     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.

 

 

 

 

 

Fixlist.txt

Link to post
Share on other sites
ridgeman

ridgeman

Posted
  • Author
Posted

I have done as you asked. A few things you should know, this is an office, it is currently 8:50 AM where I am at, I will be leaving here today at 3:00 PM and will not be back until Monday. Also, yesterday I ran payroll, did online bill pay, transferred direct pays, and online tax payments. Am I in real trouble here?

Can't I just delete these programs?

 

Thank you for the help you are giving me.

Fixlog.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the Fixlog.    What deletes are you referring to ?

.

I would like for you to do 2 things, please.

[   1    ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.

Then keep going and do what follows too.

 

[    2    ]

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.

Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".

You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

 

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).

 

Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

One run of MBAR is enough.

This report by Malwarebytes for Windows reports no malware / no P U P.    There is not a "infection".

This all would seem to be a fluke.    What follows is a way to do a new & clean re-install of Malwarebytes for Windows.

Read all of this support article.  Take your time  & have lots of patience after the Restart  and wait for the tool to prompt you again.

This does involve a Restart.   So make sure you do this after you have Closed and saved your ongoing work, if any.

 

Do all the steps.

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool

 

 

Link to post
Share on other sites
ridgeman

ridgeman

Posted
  • Author
Posted

Yes, I did that and now it seems fine and the reports are showing the correct date. Earlier you wrote - "

There are a very large number of very suspicious settings on this PC  at this point  that look like they are designed to prevent anything from running..

There are also 2 very suspicious EXE files on the Documents folder that have multiple tasks  ( repeating tasks) to run those EXE files.

It is not normal to have executable programs running out of the Documents folder;  nor to have them set many times as automatic pc tasks."

 

What EXE files were you talking about? And again, thank you for all the help.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Good afternoon.  I hope your weekend is going well.

I do regret to read of the ongoing troubles.   As far as the Date issue, lets please be very sure to look at the Windows system date.

Be real sure it has the right-local Timezone.  Be sure the Year, month, and day are right.

.

The EXE files I mentioned are Documents\Panzer2\PANZER2.EXE  ,   Documents\Shanghai II\shanghai.exe

as to the other things you describe, lets get a fresh report so I can review and check.  This is a report only.

 You may want to close your other open windows ( or at least minimize their windows)     so that there is a clear field of view.
Download Malwarebytes Support Tool

open your Downloads folder
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Sincerely,

Maurice

Edited by Maurice Naggar
Link to post
Share on other sites
ridgeman

ridgeman

Posted
  • Author
Posted

Maurice, I don't know how, but somehow over the weekend it fixed itself! Everything seems to be running fine again. Those files you mentioned were very old games which I thought I had deleted years ago. I found the files and did delete them now. Thank you again for all of your time and help. Should I keep all of the scan programs I downloaded or should I delete them?

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello Peter.    I am pleased to read things are normal.    That's very good.   I am glad to have helped.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder     .  Do a RIGHT-click on GAZORK.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Then some best practices tips.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.