Jump to content

Help With posible malware or viruses


Recommended Posts

HI I recently have noticed my  gaming computer using more ram than normal and it takes extra long to reboot. Also when looking under taskbar\startup, the last bios time has progressively gotten worse (currently 1159 when its usually 15-19)

after installing malwarebytes and doing a scan, the program said i had 2 bitcoin miners in my windows store folder which i quarantined.

Malwarebytes no longer shows any threats, however i keep getting websites blocked messages notifications.

Please help. is there any way to clean or will i need to rebuild my system hard drive.

Link to post
Share on other sites

I ended task of file (C\windows\sysWOW64\ ipconfig.exe) which was in question causing MB to block websites, and the notifications stopped.

file size is 29kb. Not sure if its malicious or not.

From what I've read the true ipconfig.exe lives inthe system32 folder and is there.

Still would like help on this issue please. I did not run a fix file for FRST because I'm not sure what I'm doing and i don't want to kill any appropriate programs.

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

 

You have made 4 back to back posts.   Which would have resulted in the help-team thinking that your case was answered with a reply.

Please wait for my next reply.    Do not do anything else on your own.   I will have something for you after I digest  all your posts.

 

Link to post
Share on other sites

Oh sorry, on my last restart before i saw your post. I found a program named umaJoin under startup tab in taskmanager. after disabling it seems that the ipconfig.exe under sysWOW64 is not running.

PC is still slow to reboot. mind you this is prettty new hardware (intel 8700k, 16gb ram) and usually reboots fairly quickly.

Link to post
Share on other sites

What the Malwarebytes for Windows web protection STOPPED  were outbound attemps to some I P   address

37.1.206.213

The web protection of Malwarebytes trial is keeping the pc safe.   The block notice is courtesy advice.

I need you to UNDO   whatever change to IPCONFIG  that you mention you had done.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

 

Link to post
Share on other sites

I presume this computer is just a home computer for home use.   That you are not on a business network.
 

You will likely have to set Windows to show all hidden folders  in order to get to Appdata folder

Just in case, lets make sure that Windows File Explorer is able to show all folders, including any Hidden ones.

 Use the Option Two as in this article at Tenforums

https://www.tenforums.com/tutorials/9168-show-hidden-files-folders-drives-windows-10-a.html

 

as to "umajoin"   you say you did not put it there,  so then delete this file

C:\Users\Mike\AppData\Roaming\umaJoin\wKsESIKg.vbs

 

Edited by Maurice Naggar
correct typo
Link to post
Share on other sites

FIles are already not hidden

enabled umajoin from startup.

restarted PC, (PC still reboots extremely slow about 3 mins to reboot usually only takes seconds,

MB is now blocking website once again ,

Deleted  \Users\Mike\AppData\Roaming\umaJoin\wKsESIKg.vbs 

updated eset, scanning now

im not sure if i installed umajoin or not. any idea what it is? 

 

Link to post
Share on other sites

Hello Mike.

The ESET scan detected & removed 19 files.   More than half of those were in a Temporary folder    C:\Users\Mike\AppData\Local\Temp

I would caution strongly against downloading cracks / game hack tools since they are often bundled with malware.

The ESET scan found 3 such files.

.

Items in any quarantine are not affected by any Windows restart.   That is also to say, a Windows restart does not revert changes.

.

Lets do 3 other scans to check this system.

[    1    ]

You can check this system using another free tool at Microsoft.  For another opinion. 
The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

  
take a minute to locate & then send the log that it made, named msert.log 
It should be at C:\Windows\debug\msert.log 
  
[     2      ]

I  would like you to do one run with the windows System File Checker applet.

This procedure will use the Windows System File Checker tool  ( SFC ).

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

To Get the elevated command prompt, press Windows-key + X key and then selected Command prompt ( Admin )


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

On that command prompt,  Copy & Paste this command

sfc /scannow

and tap Enter.   Have patience.   I would like to know the message lines at the very end, after it has finished.

.

[      3      ]

This next section is a multi-part one for Malwarebytes for Windows.    Please have patience during all of it.   It should not take a great deal of time.

The overall goal is to get all latest updates and do a special run.

Start Malwarebytes.  Click Settings.  Then look on the General tab.   Scroll down to "Beta Updates".   click that to the far right.

Scroll back up to the top   and click on "Check for Updates" button.

Have patience.  Follow the prompts.

The latest beta Version is the one with Version 4.2.0.82   WITH  Component 1.0.1036

.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.
and again, be sure all detected items are removed.

Let it remove what it has detected.
Let me know the overall status after this.   We can do more, later, as needed.

Link to post
Share on other sites

msert.log

 

I did run system file checker before I posted in the forums, and It did fix multiple corrupted files. 

I also ran it after running Msert and verification is at 100% still.

Furthermore, I appreciate all of your help and I am willing to do as you al as you ask and not make any other changes at this time.

However, I would like the ability to restore any files( after we are completely done and test them more in depth) that I may feel is not a threat to my PC and may be coming up as a False negative.

I did not see the ability to restore files cleaned with Msert which to me posses a problem. I'd like to uninstall programs that are in question before running said programs to assure the cleanest file system possible.

when files are deleted by software it wont allow a full uninstall of the program taking up unwanted space in my system. I'd prefer not to have to go in and delete files individually and be stuck with parts of the program i dont know the whereabouts.

 

new log.txt

Link to post
Share on other sites

Good morning.    Thanks for the reports.    The scan report from Malwarebytes for Windows did not find any malware or p u p.

Adwcleaner was run by you a few days ago.   If you no longer feel the need for the real-time Mawarebytes trial protections, you can set the program to not start with Windows.   That is your choice.   You can do that this way:

Start Malwarebytes for Windows.   Click the Settings icon.   Then click on the "Security" tab.  Scroll down and on the line "Windows startup"  click the button to the left so that it does not start with Windows automatically at each Windows Start.    Then close the window.

If you still feel that the Windows startup is still taking  a long time, you can use the tips outline on this Microsoft article  to review  and not have some applications auto start with Windows.

"How to perform a clean boot in Windows"
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

I would recommend doing that first.

.

The other thing I would like to review, is a new run-report from FRSY64   which is on the Downloads folder.

Run report with FRST64

Right-click on FRST64   and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.


_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is checked    -    also check the box for Shortcut    listed under Optional scan on the FRST screen
and click the box "90 day files "
Press Scan button and wait.


The tool will produce three logfiles on your desktop: _FRST.txt_ , _Addition.txt_  Shortcut.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 3 files to your next reply.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.