Jump to content

Windows 10 Trojan/Malware

dunc97

By dunc97
in Resolved Malware Removal Logs

 Share
Go to solution Solved by kevinf80,

Recommended Posts

dunc97

dunc97

Posted
Posted

PC has been compromised by a malicious download. User's google chrome (appeared as managed by organisation) and facebook account compromised. Ran scans using a combination of MalwareBytes, MBAR, MSRT, and removed glupteba and wacatac.b ml trojans. Proxy settings are still persistently set to manual proxy at http=127.0.0.1:49773;https=127.0.0.1:49773 

FRST.txt Addition.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Hello dunc97 and welcome to Malwarebytes,

Continue with the following:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Letme see those logs in your reply...

Thank you,

Kevin..

fixlist.txt

Edited by kevinf80
Link to post
Share on other sites
dunc97

dunc97

Posted
  • Author
Posted

Hi Kevin,

When booting the PC the options to automatically detect settings is off. The manual proxy setup setting alternates between on and off and uses the address and port mentioned in my first post. As far as I am aware a proxy has never been configured on this PC prior to the virus issue.

Kind regards

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

fixlist.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya dunc97,

Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
 
Thank you,
 
Kevin

fixlist.txt

Link to post
Share on other sites
dunc97

dunc97

Posted
  • Author
Posted

Hi Keith,

I've rebooted, still appears. I then turned it off again and downloaded the fix again and ran it in FRST once more. This cleared the address and port boxes under manual proxy settings. Upon rebooting again the proxy was still turned on and the boxes were repopulated with the address 127.0.0.1 and the port number.

Kind regards

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hiya dunc97,

Offline scan for windows 10

Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option.

In the new window select Virus and Threat Protection then select Scan Options

The scan options window will open, from there select Windows Defender Offline Scan

You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot..

To check for found entries:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history.

If entries are shown as "Found" the time and date will be same as the offline scan just completed.....
 
Thank you,
 
Kevin
Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted (edited)

Hiya dunc97,

I want you to run your system in "clean boot" after you reboot to that mode run an FRST fix again, then reboot and see if the proxy returns. It seems that the id numbers change each time they are removed/returned so we need another FRST scan first..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Let me logs in your reply...
Whilst you wait for the fix run your system in clean boot mode, then we will see if the proxy returns again...
 
Next,
 
Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode. Let me know when you are in clean boot mode and i`ll attach the fix in my reply to you...
 
Thank you,
 
Kevin
 
Edited by kevinf80
Link to post
Share on other sites
  • Solution
kevinf80

kevinf80

Posted
  • Solution
Posted

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Your PC should reboot when the fix completes....

 

 

fixlist.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept