Jump to content

Infected with a trojan.


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello  @WilliamWilliam     :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

  • Like 1
Link to post
Share on other sites

Hi Billy.

I have to ask  whether you followed just exactly what I wrote   about "Gather logs".   ?

Did you happen to click on some other spot ?   like repair ?

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually
  •  
  • Please attach both logs to your reply if possible. 
  •  
  • To upload  attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

  • Thanks 1
Link to post
Share on other sites

Thank you.   Take a minute, and tell me  just How,  where,  by what  was there a "trojan" ?

what presented the info ?   what else did it say ?

  • Thanks 1
Link to post
Share on other sites

Trojan was found by Malwarebytes. I downloaded what I thought was software for recovering data. The install said it failed installation as obviously intended of the creator of this malware, before hand. My CPU acted strange. Then I did a few scans with Malwarebytes and S&D 2. It isn't popping up every 15 seconds right now, but it comes back later and starts back up, again. Sometimes without ever stopping. All kinds of weird s keeps happening. I can't normal shut down my PC. Gotta hold down on the power button. Airplane mode icon is on, however I do have internet access.

Link to post
Share on other sites

Hi Billy.   Please only reply here to this topic.

Please also know that help is thru this thread-topic.   Not by personal message.   Your very last post would tend to indicate some oddity with the Windows  O  S    ( and not necessaruly some "infection")

Lets do these next 2 scans to check for malware / viruses.

[    1     ]

You can check this system using another free tool at Microsoft.  For another opinion. 
The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
take a minute to locate & then send the log 
It should be at C:\Windows\debug\msert.log 
  
[      2     ]

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 
 

  • Thanks 1
Link to post
Share on other sites
Posted (edited)

Update: Hi, Maurice. The 1st mentioned said it fixed what it could. Did not display any results. The second mentioned has displayed results I can send a log of. However, I am experiencing the same activities I've discussed earlier.  Inactive Windows key/Windows Start click, Inactive Searchbar. Inactive folder searchbar. Website due to phishing is popping of every 15 seconds again right now so I can send an image of it as well. Okay, so I think I have all the right things here now. Was a little disorganized with he documenting. Thank you for your patience and effort.

Image of contant pop up.jpg

 

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites

I can't edit the post. I need to make a whole new post if I wanted to add something from the prior. By the way, the path mentioned doesn't exist. I have searched for it. The folder where it says the executable file exists doesn't exist.

Link to post
Share on other sites

Hello.  Let just mention, that since you are a relatively new member, the forum does not allow you to Edit your post once it has been published on the forum.

As to some of the factors you mentioned 2 posts ahead, we need to unpack and put things in proper categories with proper separation.

These 

Quote

 Inactive Windows key/Windows Start click, Inactive Searchbar. Inactive folder searchbar.

need to be in a separate category.   Those are some sort of Windows glitches.   We can address those separately later on.

The Block events & notices by the web protection of Malwarebytes for Windows are entirely separate.

 

NOTE:  The ESET scan found and removed 8 unwanted / unsafe apps.   I notice some were downloads.  One must be very very careful what you download & just from where !!

.

The Block notice from Malwarebyes DOES mean that it is keeping your pc safe  and away from potential harm.  Note the green tick-mark  ( check-mark) at the left of the message window in that display-notice !

.

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Be sure all items were removed.   Let it remove what it has detected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Have patience always.   We will be doing more later.


 

  • Thanks 1
Link to post
Share on other sites

Thank you , again, Maurice. Thank you as well for taking the time and care of explaining everything. The inactive mentions are still inactive, however I have made some shortcuts to them such as Malwarebytes. Running scans at least 3 times a day. Nothing new coming up though. I will do as you instructed. Thank you, good night Maurice

Link to post
Share on other sites

Good morning.   I take it that the last scans with Malwarebytes for Windows have reported no malware  and no P U P.

I suggest a different scan with a different tool.

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html


First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.
The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.
Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

IF you wish a Full scan or a Custom scan, first click on the Settings
then you can select which drives you want to include in the scan.
The default is a Quick scan.
Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.
If you see an item that you know is safe, you can click the Action  , and select Ignore.
When all done & ready, click the Fix now button.

 

Also,let me know about the current status  & if you need other help.

 

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe


and save the tool on the desktop.
If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.
Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Per the SecurityCheck tool,  here are things that need your attention.   Follow up & insure they get updated to the latest releases.

GIMP 2.10.0 v.2.10.0 Warning! Download Update

WinRAR 5.80 beta 2 (64-bit) v.5.80.2 Warning! Download Update

Viber v.11.3.0.24 Warning! Download Update

Adobe Shockwave Player 12.1 v.12.1.7.157 Warning! This software is no longer supported. Please uninstall it.
swMSM v.12.0.0.1 << Hidden Warning! This software is no longer supported. Please uninstall it.

Adobe Acrobat Reader DC v.20.009.20074 Warning! Download Update
^Please run Acrobat Reader DC and go Help - Check for updates...^

 

VdhCoApp 1.3.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

.

Now to focus on the first main issue -  the block notices about    C:\Users\Owner\AppData\Roaming\froudMalitGrentSouce\ipconfig.exe.

Lets do these next set of steps.

[   1    ]

 

I need you to insure that Windows is set to show all hidden folders, to show all folders.   Do not let this spook you out.

Ihere is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

[      2      ]

The following custom script is to  remove a suspicious file, to run the Windows System File Checker tool, the Windows DISM tool to check the system, and to rebuild the Winsock.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.

.

This custom script is for  WilliamWilliam  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64 .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

 

Edited by AdvancedSetup
Logs removed per request
  • Like 1
Link to post
Share on other sites

Top of the morning to you, Maurice.

Fixlist.txt is in the same folder as FRST64.

* No fixlist.txt found. The fixlist.txt should be in the same folder/directory the tool is located. (FRST) *

No sure what happened or what I did different here.

Link to post
Share on other sites

Hi Billy.

Look on the Downloads folder.   There is where the FRST64.exe   is saved ( from before).

The FIXLIST.txt  should be saved to the same folder,  in order for the custom fix to work.

Look for FIXLIST there.    If you do not see it there, do a new download   and get the file to the Downloads folder.    Then do the procedure outlined before.

 

Edited by AdvancedSetup
Logs removed per request
  • Like 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.