Jump to content

Segurazo Virus Removal


Recommended Posts

Hello,

So I tried to download a Minecraft thing because a friend recommended it and ended up with several unwanted programs getting installed which included segurazo. I did do a scan in safe mode to remove it, but, when I did a custom scan (which has now been running for over 30hrs straight), I got a detection for the segurazo uninstaller. When I went to the file location, it looks like all of the files are still there along with some other programs I thought I removed (something called alsephina, web discover, and thundersea). Should I cancel the scan and go into safe mode to try again? Or should I just do a factory reset?

  • Like 1
Link to post
Share on other sites

Hello @rando   :welcome:

Here is what I need from you:

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Link to post
Share on other sites

Thanks for the report.  This Windows session has been up for over 2 & 1/2  days.  Please do a Windows Restart as the first step  before proceeding with what is listed below.

That will also help to complete a few pending Windows actions to rename some files.   Go ahead and do the Restart.  I will make a further reply soon.

Link to post
Share on other sites

The system will be rebooted after the script has run.

This custom script is for RANDO only / for this machine only.

NOTE-1: This fix will also run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. Depending on the speed of your computer this fix may take 30 minutes or more.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH.exe   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   C:\Users\bartl\Downloads


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.   We will do more after this.

Cheers.

Fixlist.txt

Link to post
Share on other sites

Bravo.  Thanks for the Fixlog report.   I belive we have just squashed the heart of this new version of the PUP Segurazo.  But we need to do more checks.

Please follow these newinstructions:
Run Malwarebytes from Safe Mode with Networking:
Step 1:
Boot into Safe Mode with Networking:

    Restart your computer.
    When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point, you should gently tap the F8 key repeatedly until you are presented with the Advanced Boot Options menu.
    Select the option for Safe Mode with Networking using the arrow keys.
    Then press Enter on your keyboard to boot into Safe Mode.
    If prompted to choose a user account to login, click on your normal user name (not Administrator unless that is your normal user account) to log into Windows

Step 2:
Start Malwarebytes for Windows.
In Malwarebytes for Windows program, we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color
.
Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click  ( tick )   the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).  👈

🔻

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg

 

 

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg

 Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

I tried to look for the folder which appears to be gone now. However, there is an Alsephina folder that has a "SegSetup" application in side with the "Web Discover" application. Neither have a clear uninstall option and do not show up in the uninstall section of the control panel. A similar folder has something in it called "HolcusTropicalSoftqom" application. Some other folders that got downloaded in with Segurazo are also still on my computer, would it be safe to delete the ones that are .txt files and use the uninstaller on the other? The one that still has an uninstaller is called "Thundersea."

Link to post
Share on other sites

This last scan with Malwarebytes for Windows is a very good result.  As to your very last post, I'll need a decent way to "see" those items & or folders to be in a good report.  One that can be useful & accurate.   Lets hold off on that for a bit.

Let me suggest that we do a different set of scans to do more security checks of this system.  I will guide you.  I would encourage you to have added patience & fortitude.  We will get this all squared away before we get to the ultimate end.

For now.....  this next scan for adwares.

Be sure you close all web browsers before you click on the "Scan" button on this next procedure.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

Adwcleaner  detects factory Preinstalled applications too!

 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

 

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks.  Keep me advised.     ONLY attach each report file as we go along.   Please do NOT copy paste into the main body of the reply box.

 

  • Like 1
Link to post
Share on other sites

Thank you.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Select the " Quick " scan from the scan options.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.  There will be more to do on next rounds.

 

Link to post
Share on other sites

Thanks.  That is a good result.  Next, now, a different scan tool.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

Well done.  The ESET Online scan tool did find and removed 3 EXE files. One of those it classfied as Win32/Segurazo.J .   and another as a trojan downloader.

We have more work to do here for follow-ups.  This next part is mainly to insure that the folders related to the 3 items are deleted.

.

Please find the previous Fixlist.txt  on the Downloads folder on your machine, and, Delete it.  A new one is attached with this pot here.

The system will be rebooted after the script has run.

This custom script is for RANDO only / for this machine only.

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

The  custom Fix script is going to be used by the FRSTENGLISH.exe   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   C:\Users\bartl\Downloads


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  Keep going and do what follows.

[    2    ]

 

Next,   a    TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a FULL Scan.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Fixlist.txt

Link to post
Share on other sites

Thanks for the Fixlog report.   That run is a success.    The Windows System File Checker result is excellent.

Good to know about the result of scan by TrendMicro HouseCall.  Yes, you are right about their network check.

Tell me, How is the system now ?   Do you need anything else ?

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites

The system seems the same as before the downloads, but I'm still scared about something secretly running in the background. The only things left from that batch of downloads that may be affected is the Minecraft launcher and Microsoft Office which got modified when the virus got downloaded. If I don't plan on using either, is it safe to uninstall them normally through the control panel? Things that got downloaded and are still in Program Files (x86) is a folder of 3 .txt files in something called "VulkranRT" and another folder that still has an uninstaller and application in a folder called Thundersea, but is called "OneUpdater" when I look in the folder. The application says the company is "Thundersea Soln" if that helps? Would it be safe to uninstall/ delete them normally as well since they were never detected as threats? And I saw the in the Quarantine folder in the FRST folder. Will it just be there permanently? My understanding is that it is harmless at this point, but I don't like the thought of having still be on my computer.

SecurityCheck.txt

Link to post
Share on other sites

Hi. Thanks for the SecurityCheck report.
There are only 2 apps that need to be updated.  That is Zoom and Microsoft Teams.  Those 2 can be upgraded later.  The Windows 10 operating system is one that is a bit old.  I can guide you to getting it upraded to the very latest.
Let me first list a short recap of the scans already done.
The Microsoft Safety Scanner was run.  And ESET Online scanner.  And the TrendMicro Housecall.
and Malwarebytes Adwcleaner.  and Malwarebytes for Windows scan with the rootkit option on.
The Housecall found reported no infection. The ESET scan found and removed some P U P  (potentially unwanted programs).  The description of what P U P are  ( as defined by Malwarebytes is "PUPs, or Potentially Unwanted Programs, are programs that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.".
.
The so-called Segurazo is classified as  a P U P.    ( not a virus).
PUP.Optional.Segurazo  is defined / described here https://blog.malwarebytes.com/detections/pup-optional-segurazo/

"SAntivirus"  & "TASAntivirus"  are other "names" for the "Segurazo" pest.   But again, it is not a virus".
It is a rogue program.  A fake program.  But there is no remains of it now on this computer.  It is gone now.   
.
We can do other additional scans to check this whole system.  And we can also do specific targeted scans to specific folders   ( the one you mention)  using both Malwarebytes for Windows, and also the Microsoft Windows Defender.
.
You mentioned 

Quote

Things that got downloaded and are still in Program Files (x86) is a folder of 3 .txt files in something called "VulkranRT" and another folder that still has an uninstaller and application in a folder called Thundersea, but is called "OneUpdater" when I look in the folder. The application says the company is "Thundersea Soln


Can you make for you and I a list of the precise folder locations,
and even take screen images of those folders on File Explorer   so that I can see the full file-names and types of files they are.
We can scan those folders.
We can upload any of those files that are(.) EXE or (.)COM  or (.)bat or (.)cmd  up to the Virustotal website for free analysis  to see whether they are real actual threats.
But just know that (.)TXT files   ( text files) are not infections.
.
I believe that the Microsoft Office program on this machine is a free trial one.
Yes, you can Uninstall it  from within Windows itself, in the noraml Uninstall procedure.
Just do not do manual deletes by your own.
The Quarantine folder of the FRST  is a lockup jail.  Stuff in there cant be a threat now.  And that area will be permanently deleted in total when we close this case.  I will guide you.
My view is that thinking of a "factory reset" is too extreme.   and not really called for.
.
Other tidbits:  The Microsoft Windows Defender antivirus is up-to-date and running / active.
That is a definite plus.
There is one program to Uninstall:    McAfee Security Scan Plus
How to do a Uninstall of a program:    1 In the search box on the taskbar, type Control Panel and select it from the results.
2 Select Programs > Programs and Features.
3 Right-click the program you want to uninstall and select Uninstall,
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.