HELP! Downloaded fake MWB antivirus, and it's a trojan

[manubra]

Hello,

The Internet was very broken today, (It was my whole area but I didn't know) soo after restarting everything my last guess was a virus. I didn't have MWB antivirus installed but since its the only antivirus I know that I can trust, I wanted to Install it and run a check.

After installing, It did nothing and I realized it's a fake antivirus/trojan.I quickly installed the real antivirus and started my 14 day promium trial.. Now I'm getting messages that a trojan has been blocked every minute and the virus just keeps trying to connect to something while getting blocked. While it's good thatit gets blocked, I just want to get rid of it! I've ran a custom scan and it didn't find it. A scan for root kits also didn't find it.

The messages I'm getting all look like this, always the same IP and it's trying every minute. No scan has detected it.. It says it's an outbound connection wich I understand as: there is something on you're computer that is trying to reach it's virus master website or whatever.
Here is a copy of one of those alerts:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 8/30/20
Protection Event Time: 8:09 PM
Log File: f5c95a5a-eaeb-11ea-820c-b42e9993be59.json

-Software Information-
Version: 4.2.0.82
Components Version: 1.0.1025
Update Package Version: 1.0.29235
License: Trial

-System Information-
OS: Windows 10 (Build 18362.1016)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\nslookup.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: 37.1.206.213
Port: 80
Type: Outbound
File: C:\Windows\SysWOW64\nslookup.exe

(end)
 

I feel really stupid for downloading the wrong antivirus but since it already happened, I hope that somebody can help me...

[kevinf80]

Hello manubra and welcome to Malwarebytes, Run the following: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... When you`ve downloaded FRST64.exe, rename it to FRST64English.exe...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin..

[manubra]

Hello, thank you for you're help.

Here are the requested files:

FRST.txt Addition.txt

[kevinf80]

Hello manubra,

Unfortunately I cannot open your logs, unexplained issue after Forum update. I`ll get back to you as soon as I can...

Thank you,

Kevin

[manubra]

Hello Kevin,

 

I had some issues with uploading, getting 404 errors on the MWB forums and failed uploads..

I’ve put em into google cloud for you:

https://drive.google.com/file/d/18JIUb1rPA4jbeb6z-LTkq5YD8WI9ME7F/view?usp=drivesdk

https://drive.google.com/file/d/1KmJkuIE4bmFN0F3T_r8jenxJ6vyT0r88/view?usp=drivesdk

 

..Hope this helps,

best regards 

manubra

[manubra]

Oh, just realized that most of the text on these files is german.. hope you can understand it

#Ooof

if not, I’ll try to get them in English.. but I could only do this again, tomorrow 

[kevinf80]

If you rename FRST64 to FRST64English the logs will then be generated in English. Hopefully the Forum will be sorted soon....

[kevinf80]

Managed to get through your logs in the links you provided, lets see if I can create a reply and fix for you...

Continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Open Malwarebytes, select > "settings" > "security tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following:   Single click on the target sight above scanner window. In the new window select Report Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Please use "Export to Txt" then attach the log to your reply... Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror   Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system.... https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply.... Thank you, Kevin

 

fixlist.txt

Edited August 31, 2020 by kevinf80
typing error

[kevinf80]

It seems that the attached file "Fixlist.txt" will not open correctly. Use the following instead...

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to the same place as FRST as fixlist.txt     Start:: CloseProcesses: SystemRestore: On CreateRestorePoint: Startup: C:\Users\manubra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Folding@home.lnk [2020-04-01] ShortcutTarget: Folding@home.lnk -> C:\Program Files (x86)\FAHClient\HideConsole.exe (Keine Datei) InternetURL: C:\Users\manubra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\grodoBow.url -> URL: "C:\Users\manubra\AppData\Roaming\grodoBow\FdkNZKSDZEJcy.vbs" C:\Users\manubra\AppData\Roaming\grodoBow InternetURL: C:\Users\manubra\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GurenSoft.url -> URL: "C:\Users\manubra\AppData\Roaming\GurenSoft\bNeMWyty.vbs" C:\Users\manubra\AppData\Roaming\GurenSoft S3 cpuz148; \??\C:\Windows\temp\cpuz148\cpuz148_x64.sys [X] AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [238] Folder: C:\Users\manubra\Desktop\6d3cd7c981f9496a9f0ba6c811ffd0c5 Folder: C:\Users\manubra\AppData\Local\gtk-2.0 Folder: C:\Users\manubra\AppData\Local\babl-0.1 CMD: winmgmt /verifyrepository Hosts: EmptyTemp: end::   NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system Run FRST/FRST64 and press the Fix button just once and wait. The tool will generate a log (Fixlog.txt) please post it in your reply.

Edited August 31, 2020 by kevinf80

[manubra]

Alright, here are the requested files.

Thank you again, for you're continued support.. I really appreciate it

ADWC_AdminRun.txt MSERT_Log.txt

[kevinf80]

Did you run the FRST fix...?

[manubra]

25 minutes ago, kevinf80 said:

Did you run the FRST fix...?

Oh yeah.. sorry, I forgot.

I didn't rename it to english.. so the log is partly in german again 😕
I'm not sure if it'll give you the same results if I run it again on english since it has eaten the Fixlist.txt..

Fixlog.txt

[kevinf80]

Hello manubra,

 

What is the current status of your system, any remaining issues or concerns...

Scan with Autoruns Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop. Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:   Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Privilege Level check the box next to Run this program as an administrator Click on Apply then click OK   Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them: Hide empty locations Hide Windows entries   Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options: Verify code signatures Check VirusTotal.com   Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns. Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder Attach the ZIP folder you just created to your next reply Thank you, Kevin

 

[manubra]

Hello Kevin,

I hanen't gotten any MWB warnings since yesterday and scans are all clean.
I think the trojan is actually gone..

I'm gonna purchase MWB premium, just to be a little bit safer and get some actually decent protection against scummy software xD
-> I didn't get a single message or warning from WindowsDefender, but that's to be expected if nobody trusts it.. I thought I'd never get a virus like this since I know a coupple things about em myself.
(But it was wrong since I would have never gotten it away without help.)

 

The Autoruns log is attached below:

DESKTOP-9PG4F38.rar

[kevinf80]

Hiya manubra,

Not definitely out the woods yet. Continue:

Upload a File to Virustotal Go to http://www.virustotal.com/   Click the Choose file button Navigate to the file c:\program files (x86)\mp3studio youtube downloader\mp3studiodownloader.exe Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the URL address back here please. Thank you, Kevin

[manubra]

Hey Kevin,

oo0oOO.. Looks like kthe programm I used to download YouTube videos for my phone library isn't all that truthfull..
https://www.virustotal.com/gui/file/fcf2051e063a5d3d81f2357aa5e8a171b4e0af7b97355fafb3375e3d0cd835c9/detection

U rekon basic windows uninstall works?

Best Regards
manubra

[kevinf80]

Hello manubra,

Use the following to remove the program and all remnants:

Revo Uninstaller Download Revo Uninstaller Portable and save it to your desktop. Right-click RevoUninstaller_Portable.zip and select Extract All. When prompted, select Browse and select Desktop to extract the files to your desktop. Right-click RevoUPort.exe and select Run as Administrator. Read and accept the End User License Agreement. Right-click the following program and select Uninstall   Program to uninstall   Revo Uninstaller will create a System Restore point. Once complete, the program's uninstaller will open. Follow the prompts to uninstall the program. Note: Do not restart the computer if prompted. In the Scanning Modes dialog box, select Advanced > Scan. On the Found leftover registry entries dialog box (if present) click Select All > Delete > Yes. On the Found leftover files and folders dialog box (if present) click Select All > Delete > Yes. Click OK if prompted, then Finish. Let me know if there are any remaining issues or concerns.... Thank you, Kevin

Edited September 3, 2020 by kevinf80
typing error

[kevinf80]

Any progress...?

[manubra]

Oh yeah I’m sorry, I’ve completely forgot about following up. Got some irl things going on atm.. I’ve successfully uninstalled that MP3 Studio and all scans show up clear.

No malicious behavior and zero blocked programs that try to reach the internet.

I‘m pretty sure it’s all gone now.

thank you so mouch (again) for you’re step-by-step instructions and for guiding me through all those steps! You really saved me from using random guides or wonky fixes.

Greatest regards 
manubra

[manubra]

Ps: want me to run and upload all scans again? I think it’s all clear since nothing shows up but ya never know..

[kevinf80]

Hello manubra,

No need to run any more scan, continue to clean up:

Right click on FRST here: C:\Users\manubra\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Download and use a Password Management application. https://www.windowscentral.com/best-password-manager-windows From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you