Fresh install (Home user) - unable to quarantine

[K3nny]

Dear Forum, 

I'm facing a little problem here... Yesterday I was browsing the web in search for a good free photo editor for my wife, as she wants to create photo calendars for the whole family as a Christmas gift.  So I started to search and clicked on all possible urls that appeared.  It seems that one of the urls wasn't safe as suddenly I got a pop-up message bottom right indicating a web containing the string eloypatrick and a number.  I immediately got scared, since I was using my Business pc, which I'm using from home, due to the current Covid Situation. 

So I started to search on how to remove this and that.  And I got a bunch of hits and all sorts of ways to remove it manually and using malware removal software.    I ended up installing Spybot Search and Destroy, ADWCleaner (previously known as JRT), Unhackme, Spyhunter, Malwarebytes, and TOTALAV. 

None of the the above helped me.  In fact, it got even worse.   While running Spyhunter it told me that I have the Dapato.BB trojan, which I couldn't remove.   Then, and this is probably the biggest mistake, I installed TotalAV on my enterprise PC, and it turned out to be a huge mistake.    

 I managed to stop the popups for eloypatrick under notifications in Chrome.  I managed to find all the TotalAV files in the registry and deleted them manually, even given me permissions on folders I should not have access -> remember that this is a business pc.  

Malwarebytes detected remnants of TotalAV but when clicking on Quarantine, it tells me :  Product is not licensed for threat removal. 

 I realized that during installation for MB I had checked the right box (Business PC, not Home User) and I found this link for the support tool ->  https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

I did everything as mentioned, and re-installed as personal.    However, I still can't put those files into quarantine (see attached). 

Would you have any hint on how to get this removed ?      I'm a bit worried now, this is a business PC and I'm afraid that this PC is not safe anymore.  My company runs Symantech and it will detect very soon that this PC most probably has harmful stuff on it.  This is not good news.  I should have been more careful. 

Sorry for the long story, but at least you know the problems that I'm facing. 

Any hint on how to get TotalAV (this is the most important), EloyPatrick or Dapato.BB removed is highly appreciated.    I have to say though, that the pop-ups from EloyPatrick disappeared, and only one Software detected the Dapato one.  

Kind regards, 

Ken

 

 

[Maurice Naggar]

Hello   

Before we do other procedures,  lets do this.  Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.

[Porthos]

1 hour ago, K3nny said:

Product is not licensed for threat removal. 

 I realized that during installation for MB I had checked the right box (Business PC, not Home User) and I found this link for the support tool ->  https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-using-the-Malwarebytes-Support-Tool

I did everything as mentioned, and re-installed as personal.    However, I still can't put those files into quarantine (see attached). 

Sorry for the intrusion. Is the computer a part of a domain or has it ever been? If so, That is why it will not quarantine.

 

[K3nny]

On 12/7/2020 at 9:28 PM, Porthos said:

Sorry for the intrusion. Is the computer a part of a domain or has it ever been? If so, That is why it will not quarantine.

 

Well, it was part of a domain indeed, prior Covid. It was connected to the Local Network of my company, via LAN.  When we all were sent home, we connected via VPN to be able to open our webapplications.  If I don't  connect to VPN I can surf the web like if it was my own PC.   If I don't connect to the VPN I cannot even run Oracle, our main tool. 

[K3nny]

@Maurice Naggar 

Hi Maurice, 

Thank you for replying. I did what you proposed in your response.  Kindly find the log file attached.  Only traces for Totalav were found, nothing of eloypatrick or Dapato.  I did also run the full Scan of Symantec and nothing else was detected.  

Can I delete both files as indicated in the picture Quarantined.jpg?  

Kind regards, 

Ken

AdwCleaner[C00].txt

[Porthos]

2 minutes ago, K3nny said:

Well, it was part of a domain indeed

 

2 minutes ago, K3nny said:

If I don't  connect to VPN I can surf the web like if it was my own PC. 

The problem is, Malwarebytes no longer allows free cleaning on computers are/were set on a domain either in the office or otherwise.

 

[K3nny]

1 minute ago, Porthos said:

 

The problem is, Malwarebytes no longer allows free cleaning on computers are/were set on a domain either in the office or otherwise.

 

Ok, fair enough.  I supposed that it was something like that. Let's hope that nothing bad happens  

[Porthos]

Just now, K3nny said:

Ok, fair enough.  I supposed that it was something like that. Let's hope that nothing bad happens  

Just carry on with Maurice now and he will clean you up manually without Malwarebytes.

[Maurice Naggar]

Hello @K3nny   Thanks for the report from Adwcleaner.  Adwcleaner has removed 2 folders of the TotalAV.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

[Maurice Naggar]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks