Jump to content

Installed a Cracked program from 3dm, redirected me to some 3dm site


Recommended Posts

i think it was 3dmgame.com and one button sends me to this site http://baoku.360.cn/ and i have an app that has this icon.

Attached is screenshot with the app.

I tried archiving the adware that the crack installed but got this error:

! C:\Program Files (x86)\360\360Safe.rar: Cannot open C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg
  The process cannot access the file because it is being used by another process.

also tried this:

! Cannot create SoftMgr.rar
  Access is denied.

I have malwarebytes anti exploit ,malwarebytes, kaspersky anti ransomware tool for home ,malware hunter installed and have reports in the behaviour blocking and i dont know how to report them.

what should i do to scan the system?i will be using(besides malware hunter and kaspersky anti ransomware for home and malwarebytes) 

i will be using adwcleaner_8.0.7, EmsisoftEmergencyKit,  KVRT, Windows-KB890830-x64-V5.83 and maybe HitmanPro_x64, hmpalert3.

should i use ComodoCleaningEssentials_x64 or ccsetup547pro?

CaptureMalware1.PNG

CaptureMalware2.PNG

CaptureMalware3.PNG

CaptureMalware4.PNG

firstBlockingReport.txt secondBlockingReport.txt thirdBlockingReport.txt

CaptureMalware5.PNG

Link to post
Share on other sites

Hello.  You have made some 4 posts here back-to-back which made your case seem like it has been answered.

My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.   

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  I

Please put aside 'Malware Hunter'  and do no more runs on your own.  Dont go off running tools on your own for the duration of this case.
I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

  • Like 1
Link to post
Share on other sites

Thanks for the report.  I will make another reply after I have looked over this set of reports.  Meantime ....

Strong note of caution:
3DM is a Chinese video game piracy group – a group of individuals specialized in cracking the digital rights management (DRM) applied to commercial PC video games. It was "one of the world's biggest" such groups in and around 2016, according to Kotaku.[
see https://en.wikipedia.org/wiki/3DM

Pirated programs / tools / stuff  is infamous for being bundled with malicious malware !

I would strongly suggest that you go about Uninstalling any 3DM program the standard way in Windows:  
1
In the search box on the taskbar, type Control Panel and select it from the results.
2
Select Programs > Programs and Features.
3
Right-click the program (s) by 3DM   and select Uninstall

  • Like 1
Link to post
Share on other sites

Further note:  Windows  has a number of queued up Pending File Rename Operations

Do one Windows RESTART   and then let the system settle back in.    I will be making another reply soon.

But go ahead and do this one task here.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

On the scan Options,  select FULL scan.   Have lots of patience till it finishes.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

  • Like 1
Link to post
Share on other sites

Next task after the run has completed by the MS Safety Scanner  ( see prior reply of mine  above  ^^^^^

Do what follows only after finished the prior task  ( above ).

The following is a  custom script. The main goal is to remove elements of "360" and its drivers & tasks. Plus a couple of files flagged by Malwarebytes.

 

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.

.

This custom script is for  Qwertyuiop123  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites
  • Root Admin

Hello @Qwertyuiop123

If I may, please read the following and continue to work with @Maurice Naggar for a solution.

 

 

Since you're dealing with a group well known for advanced hacking you may want to consider the possibility of the following.

One or more of the identified infections may potentially be related to a  rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (back doors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.
 
If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed  to include those used for banking, email, eBay, PayPal and online forums from a CLEAN COMPUTER - never use the same password on different sites. Avoid using Facebook, Google, or other auto sign-on methods. If that account gets exploited they'll also have access to all other sties linked to it.
 
 
You should consider these passwords to be compromised. You should change each password by using a different computer and not from the infected one.
 
If not, an attacker may get the new passwords and transaction information. If using a router, you may need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read the following
 
 
Although the threat may have been identified and may be removed, your PC has likely been compromised and there is no way to be sure certain the computer can ever be trusted again.
 
It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.
 
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.
 
Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

 

  • Like 1
Link to post
Share on other sites

I've reviewed the report from the Microsoft Safety scanner ( which found some trojans as well as hacktools ) and the log from the FRST script run, which also shows trojans still present.

 

One or more of the identified infections may potentially be related to a  rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (back doors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.
 
If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed  to include those used for banking, email, eBay, PayPal and online forums from a CLEAN COMPUTER - never use the same password on different sites. Avoid using Facebook, Google, or other auto sign-on methods. If that account gets exploited they'll also have access to all other sties linked to it.
 
 
You should consider these passwords to be compromised. You should change each password by using a different computer and not from the infected one.
 
If not, an attacker may get the new passwords and transaction information. If using a router, you may need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read the following
 
 
Although the threat may have been identified and may be removed, your PC has likely been compromised and there is no way to be sure certain the computer can ever be trusted again.
 
It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.
 
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.
 
Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

  • Like 1
Link to post
Share on other sites

I finished with the personal accounts and I am considering formating and reinstalling the C drive,altough it would take time managing,migrating the folders.

I can provide u with the program i am 95% sure is the cause of this.

Link to post
Share on other sites

I cant do anything with the suspect program you mention.  If you want, if you have a executable-type-program you suspect, you can upload it to Virustotal for analysis.

The site uses multiple search engines from several companies).
Go to the link https://www.virustotal.com/gui/home/upload 

You will see Choose file button.   Click that as a first step.   You will then see a dialog grid from Windows.
.

You can save all your personal files, documents, personal folders to offline media.

As far as doing a clean install of Windows 10, there are good guides online.

A Windows 10 repair-in-place-upgrade is one possibility.

 if the configuration of your PC is HDD only. If the configuration is SSD + HDD it can be problematic, and you should create a Backup Image of your system before proceeding

You want to be sure to SAVE the download file, ideally to the Desktop.

 

Download & Save  the Microsoft tool -      click the button marked "Update now"  ( at the top )  from

http://www.Microsoft.com/en-us/software-download/windows10

The name of the file is Windows10Upgrade9252.exe

Right click the downloaded file and select "Run as administrator". Select the option

"Upgrade This PC Now" and the process begins. Answer the questions logically, and when

asked "what to keep", select your choices

 

  • Like 1
Link to post
Share on other sites
On 11/15/2020 at 5:53 PM, Maurice Naggar said:

I've reviewed the report from the Microsoft Safety scanner ( which found some trojans as well as hacktools ) and the log from the FRST script run, which also shows trojans still present.

 

One or more of the identified infections may potentially be related to a  rootkit component which is difficult to remove. Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (back doors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.
 
If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned.
All passwords should be changed  to include those used for banking, email, eBay, PayPal and online forums from a CLEAN COMPUTER - never use the same password on different sites. Avoid using Facebook, Google, or other auto sign-on methods. If that account gets exploited they'll also have access to all other sties linked to it.
 
 
You should consider these passwords to be compromised. You should change each password by using a different computer and not from the infected one.
 
If not, an attacker may get the new passwords and transaction information. If using a router, you may need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read the following
 
 
Although the threat may have been identified and may be removed, your PC has likely been compromised and there is no way to be sure certain the computer can ever be trusted again.
 
It is dangerous and incorrect to assume that because this malware has been removed the computer is now secure.
 
In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, delete the partition, reformat and reinstall the Operating System.
 
Please read:

Should you decide not to follow this advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. If you wish to proceed, disinfection will require more time and more advanced tools.

Please let us know how you would like to proceed.

 

here says that i should format the operating system drive .this is what i am proceding with,as i really want a clean system. I dont think i want a windows 10 upgrade. But i am certainly open to ideas and advice.

Do you have any advice? I am moving data from C and after that formating C,and after that upgrading to windows 10.

Link to post
Share on other sites

To "nuke"  ( delete) the C drive you can use the Diskpart command.   See https://www.tenforums.com/tutorials/85819-erase-disk-using-diskpart-clean-command-windows-10-a.html

To be able to do that, you will need a USB flash-thumb-drive  that is populated (created) by using the Microsoft Media Creation Tool.

That you can download the tool, save it, run it later to build the USB

Get t from this link  https://go.microsoft.com/fwlink/?LinkId=691209

More detail info about creating that USB   https://www.tenforums.com/tutorials/2376-create-bootable-usb-flash-drive-install-windows-10-a.html

.

After you create the USB with the MCT,  set your BIOS startup boot sequence to boot from USB as the first choice.

Then have the USB inserted in the USB drive.   Then do a pc Start so that it boots from the USB.

One the first round, you want to get to a Command prompt ( otherwise known as the Recovery Environment command prompt) to do the Dospart operation.

On the screen ( of MCT) that has the install window, look at the bottom left and tap the R key to select Repair your computer.

Next  Select "Troubleshoot". 

After clicking troubleshoot. Select "Advanced Options".

Then finally pick "Command prompt".   You should see on screen that the machine is then at a prompt showing X:>

At that point, you can do the Diskpart   ( see article cited at top here)

.

When all done with that, keep the USB inserted.   Restart the machine one more time so that on the next round, you go and do the new Windows 10 setup.

NOTE:  Obviously before doing any of this, you want to save ( to offline media) any personal documents, pictures, media, files of your personal stuff.  and any setup tools of your application programs.

Edited by Maurice Naggar
corrected font issue
  • Like 1
Link to post
Share on other sites

in windows setup process ,after using clean all in the nuking, i am at "Where do you want to install windows?" and im choosing my drive pressing new and it gives me error :"We couldnt create a new partition or locate an existing one.For more informatio, see the setup log files."

Link to post
Share on other sites

I do not wish nor need to do anything with that, so you know.  If you want to have it analyzed, there is a website that will do that.

Can you please go to Virustotal website  ( which is a site that many security companies use to upload and check files for potential malware.  The site uses multiple search engines from several companies).
Go to the link https://www.virustotal.com/gui/home/upload
You will see Choose file button.   Click that as a first step.   You will then see a dialog grid from Windows.

.

As to the Windows 10 setup with the Media Creation tool, had you booted up with the USB ?

What other choices does it offer ?

  • Like 1
Link to post
Share on other sites

Just do not go off on your own just now.   Hold on until I do some additional research.

Meantime though

it seems to me we need to just "look" to see what partitions there are on the main drive of this system.

To start with, we need to get this machine rebooted back into the Windows Recovery Enviroment off of the usb-flash that has the Media Created USB.

So be sure to have that special USB inserted in the USB slot.

Then just flip the Power Off to the pc.  Wait for one minute.   Then Power ON  and let the machine boot off the USB.

It will show the special screen off of it.

You may be prompted to select your Language & some formats & keyboard  like the following

image.png.3176ea873284b8ba9ea3397f41e5384b.png

 

Make appropriate choice for you & click Next button

On the next screen, look at the bottom left "R" to Repair   and tap the R key to make that selection

 

Next  Select "Troubleshoot". 

After clicking troubleshoot. Select "Advanced Options".

Then finally pick "Command prompt".   You should see on screen that the machine is then at a prompt showing X:>

At the X prompt, type in 

diskpart

and tap Enter-key on keyboard.

then next, Type

list disk

 and hit Enter-key  to display a list of the disks currently connected to your computer.

Jot those down  and then copy those back to me in your next reply.   That info will provide us with the info in order to look further

The DISKPART will display a table with like 6  columns.   If you can grab a picture that is fine.

Otherwise, jot down all  on paper  and then relay all to me.

What we are looking for are the detail lines, that show each disk by number ( starting with 0 & 1 , etc) along with the sizes of each partition and the Free space on each, and any Labels for each partition.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.