Jump to content

Possible infection/compromised laptop


Go to solution Solved by shadowwar,

Recommended Posts

on March my mom asking me to open a webinar on a legitimate website i didnt notice i misclick a malicious adware the browser did stop it at first because of certificate i guess but becasue my mother is late and making me to hurry up for the webinar and i know its a legitimate website i continued it redirected to another site then lots of colordialog popups

at that time i was still using the mcaffee lifesave trial that came with the laptop it was able to block something but there still popup
and the adware is design only to show when your cursor is near on the menu and can easily be misclick if its a little higher
browser extension at that time was mcaffee webadvisor, ghostery, comodo onlinesecurity (i didnt installed noscript on my moms useraccount) spywareblaster was also installed if it matter and comodo securedns

after that i did full scan of mcaffeee, malwarebytes, superantyspyware, comodo cleaning esentials, windows defender nothing was found

i only installed avast free when mcafee was nearing end of trial did fullscan before installing avast

I noticed  browsers (and one time windows update already gone)  having "managed by organization" even though its my mother personal laptop

Just Recently searching in google for this laptop im getting this msg only wit this laptop other device doesnt


Our systems have detected unusual traffic from your computer network.

This page checks to see if it's really you sending the requests, and not a robot. Why did this happen?

 

 

the legitimate website in virustotal link
https://www.virustotal.com/gui/url/fdd28d74fd4c5372c7717f7154c74f5bd4019f1d1d99165093692b9f465dc52a/detection

the adware detected by malwarbyte browser guard detected after the incident Virustotal link
https://www.virustotal.com/gui/url/932c17558fd1206665ff8bfaf1545adb02cfd617945cb536ea496d664a929a69/detection

Malwarebytes detected  a few files, one in firefox profile as Malware.Heuristic.1001 and

few in windows/assembly as Malware.Heuristic.1003 that I am hesitant to quarantine that it may break it, (it still being detected even today)

any suggestion on how to copy the one in assembly without deleting it

 

Attached

FRST Log

Addition log

Mbam old log

Mbam Full log Apr 25,2021 (GMT+8)

Zemana Log


system
Win10 Home vesion 20h2 19042.928
Lenovo Ideapad
amd r3 4300u
4g ram
Avast Free just recently updated to 21.3.2459 (build 21.3.6164.657)

previous AV Mcaffee LifeSave Trial that came with laptop
Windows Defender Periodic scanner Mode

installed antimalware
malwarebytes free
spywareblaster free
superantispyware
Comodo Cleaning Esential (if you consider this installed)
Emisoft Emergency Kit (recently)
Zemana Antimalware (just recently)

browser addons
comodo online security
avast online security
malwarbytes browser guard
ghostery
trafficlight (just recently)

Addition.txt FRST.txt mbamFull(Apr25-2021).txt mbamold(Apr23-2021).txt zemanalog.txt quar.zip

Link to post
Share on other sites

Hello kitmub and welcome to Malwarebytes,

Can you run FRST one time, make sure account has Administrator status. Also to run FRST right click on the executable and select "Run as Administrator" ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done attach the new logs. "FRST.txt" and "Addition.txt" to your reply....

Next,

Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop.
 
  • Right-click on the RogueKiller file and select Run as administrator to start the tool.
  • Click Yes to accept the UAC security warning that may appear.
  • Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
  • Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
  • When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
  • Then click on Report button.
  • Click Export button and select "Text file".
  • Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
  • Click the Finish button and close RogueKiller window.
  • Attach the produced log into your next reply.

Thank you,

Kevin..

 

Link to post
Share on other sites

The Google search message is now gone ( though i cant go to comodo fourm but can go to comodo i heard there are intemitent problem comodo side)

there was an internet interruption last night i restarted the router and already have a different Public IP address

note: there are 2 Standard user, 1 Admin Acct, (2 other accidentaly created haven't open those acct yet)

Attached

2 set of FRST log

"AdminPriv(FRST/Addition).txt" one using the Admin Acct w/  Admin Privilege

"User(FRST/Addition).txt" using the Standard User Acct w/ run as Admin

RKLog run as admin no detection

Mbam log Recent it still detect the Assembly Files

 

 

 

AdminPrivAddition.txt AdminPrivFRST.txt MbamApr292021.txt RKlog.txt UserAddition.txt UserFRST.txt

Link to post
Share on other sites

Hiya kitmub,

Thanks for those logs, continue with the following:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\93E98B6A215CDAD81C34E86B5BDF4667\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
  • Repeat the above steps for the following files



C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\CF3A0E487C7F33C1F049525CCC17E50F\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\0FF1FA2AADA73DC0FCA30AF8B2EC8F74\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\E5FEDDA81ED7688A4567CF92DF140436\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL

Thank you,

Kevin...

Link to post
Share on other sites
7 hours ago, kevinf80 said:

Hiya kitmub,

Thanks for those logs, continue with the following:

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\93E98B6A215CDAD81C34E86B5BDF4667\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
  • Repeat the above steps for the following files



C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\CF3A0E487C7F33C1F049525CCC17E50F\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\0FF1FA2AADA73DC0FCA30AF8B2EC8F74\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\E5FEDDA81ED7688A4567CF92DF140436\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL

Thank you,

Kevin...

Sadly i cant seem to scan it with virustotal it wont let me select it or even copy the file to upload it even using admin unless there are other way to copy it

Attach screenshot showing selecting the file

 

Screenshot (9).png

Link to post
Share on other sites

found a way to get the files you need to use the "Run" to get to the Assembly folder

it is still being detection logs & Files Attached

detection zip password is 123

the Virustotal URL

Quote

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\93E98B6A215CDAD81C34E86B5BDF4667\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL

https://www.virustotal.com/gui/file/41872849a69061749fd23039e7514c7b24e3396c968ce8da510d1165788c4c40/detection


C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\CF3A0E487C7F33C1F049525CCC17E50F\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL

https://www.virustotal.com/gui/file/f476befc12f66b566b667699d042b4a316e78b8a91914b5552a3480293a60eb9/detection

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\0FF1FA2AADA73DC0FCA30AF8B2EC8F74\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL

https://www.virustotal.com/gui/file/2fcbd4553b1c042bb430e37371761ebf70dc1936023db7640ab90ba9de82011e/detection

C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\E5FEDDA81ED7688A4567CF92DF140436\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL

https://www.virustotal.com/gui/file/2a4b683020929fb461b7956efb382a7d50189ac480b141e32b8cfda50c9c3250/detection

 

 

Detections.zip MbamNewApr302021.txt

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.