Jump to content

Concerned over infection

Lozza94

By Lozza94
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Lozza94

Lozza94

Posted
Posted

Hi,

Over the last few days I've been experiencing a number of issues while browsing that could indicate an infection. Norton has been alerting me to frequent intrusion attempts (malicious redirects, domain requests and so on) while Malwarebytes has told me about a number of blocked websites running the gamut from Trojans, RiskWare, Fraud, PUPs, Malware and Malvertising.

At the same time, neither program has been able to find any concrete threats when scanning my system. So I am taking it to the next level...

I'm attaching my Malwarebytes log and FRST/additions logs as per forum policy. For what it's worth, a few days ago I tried out the ADWcleaner, which quarantined 3 items* (see the other log if you want to check on this), but re-running it now does not find anything and the issues have persisted since running ADWcleaner. I also ran a Malwarebytes advanced scan on the whole C drive (though I disabled scanning for rootkits as this made the process massively slow) and this did not find anything either. 

Thanks in advance for your help!

 

* I didn't delete them at the time but AFAIK quarantine makes them inactive and no longer a threat. 

lozza94_threat_scan.txt Addition.txt FRST.txt AdwCleaner[S00].txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Hello. My name is Maurice. I will guide you. Let's start with this.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe" 

Save the file to your system, such as the Downloads folder, or else to the Desktop

Go to the saved file, and double click it to get it started.

 

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan.

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button

Have patience.  The entire process may take an hour or more. There is an initial update download

There is a progress window display

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”

Click The blue “Save scan log” to save the log

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom)

Press Continue when all done.  You should click to off the offer for “periodic scanning”

Edited by Maurice Naggar
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the report.

It is always important to get report files.  Regardless of your language.

The ESET removed all items it detected. 

As a next step, to checkout your system a bit more, a scan with Sophos.

Download Sophos Free Virus Removal Tool   and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

 

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

Copy and paste the results in your reply

Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

If no threats were found please confirm that result....

 

The Virus Removal Tool scans the following areas of your computer:

 

Memory, including system memory on 32-bit (x86) versions of Windows

The Windows registry

All local hard drives, fixed and removable

Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Please be sure to attach that log.

Cheers.

Link to post
Share on other sites
Lozza94

Lozza94

Posted
  • Author
Posted

Hi Maurice,

Thanks again for your advice. However, no threats were found by Sophos. 

Apologies for the delay, I had to wait to scan the PC overnight as I use it for work all day.

(From the log you'll first see the scan I did on Saturday but I tried again at your request - the relevant scan finished started on 30-03. The unscanned files are from a work Dropbox.)

SophosVirusRemovalTool.log

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. Thanks.

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

Please read the guide at Tenforums.  Need to be sure that Windows is set to show ALL Folders, including system folders, plus also hidden folders & files.

 

Please confirm after that is done.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   

 

The custom script on this post is ONLY for this machine and NO other.   

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

 

 

Start the Windows Explorer and then, to the Downloads folder.

 

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Fixlist.txt

Link to post
Share on other sites
Lozza94

Lozza94

Posted
  • Author
Posted

Hi Maurice,

Thanks a lot for your help!

Okay - here's the fixlog. The system seems fine but then again it seemed fine before - I imagine the real test is whether I keep getting warnings over intrusions, trojans and so on... I'll let you know whether these continue but it may take a little while to tell.

Fixlog.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the log file.  That was a very worthwhile run.

As to the original & main issue about "Block notice messages" from the web protection of the Malwarebytes for Windows.

Those notices just mean that any prospective threat was halted.  They were STOPPED ! The term 'intrusion' is not fitting.

.

If there is another new block, I would be asking you to relay a copy of the log of that block from the Malwarebytes app.

Is yours a Premium licensed one ?

. 

for each of these 3 web browsers, the Edge browser, the Google Chrome , Firefox, they each should have the Browser Guard by Malwarebytes.

there is a specific one for Firefox.

Edge & Chrome will each take the one for Chrome.

see & follow my suggestions at this one post 

https://forums.malwarebytes.com/topic/268707-getting-redirect-malware-from-visymo/?do=findComment&comment=1432401

Link to post
Share on other sites
Lozza94

Lozza94

Posted
  • Author
Posted

Hi Maurice,

Thanks again! Yes I understand alerts don't necessarily indicate an underlying infection but thought it was better to be safe than sorry...

There have been a few detections since. I've attached Malwarebytes logs for those. 

My desktop app is a trial of the premium version but I will certainly purchase the premium following this experience!

I have installed the Browser guards (including on Opera which is my main browser day-to-day). However, they don't seem to be blocking your test site when Web Protection in the desktop app is turned off (I followed the advice in this thread to check they were working). https://forums.malwarebytes.com/topic/252088-browser-guard-for-opera/

 

 

attack1.txt attack2.txt attack3.txt attack4.txt

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

All 4 Block reports involved OPERA trying outbound connections to 4 different URL links / all different IP addresses.  They were STOPPED!

I would urge that you stop using Opera for a couple of days.  Instead, just use the Edge browser.

.

In Opera, be sure to Delete all Cache, all history.

Look very closely at Start page setting + Home page + the options related to Search preference.

Plus in addition look closely at each browser extension that is on Opera.

Link to post
Share on other sites
Lozza94

Lozza94

Posted
  • Author
Posted

Hi Maurice,

Sorry about this - I thought I posted a reply on Weds, but it isn't showing up here! 

Long story short - I did as you suggested over Opera, while I couldn't find anything obviously suspicious in the settings/extensions I did delete the cache etc. It seems like this has finally done the trick - I have had no further alerts from Norton or Malwarebytes and my daily scans have since been coming up clean. Feel free to move this to 'resolved'... and thanks a lot for all your help!

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello.

You ware very welcome.  I am glad to have worked with you.  

We can proceed with cleanup of tools we used.

To remove the FRST  tool & its work files, do this.  Go to your Downloads  folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .

Then run that ( double click on it)  to begin the cleanup process.

 

Delete the Sophos download file.

Delete esetonlinescanner.exe

 

Any other download file I had you download, you may delete.   I wish you all the best.  Stay safe.

Sincerely.  :cool:

Maurice

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.