kitmub Posted April 28, 2021 ID:1453801 Share Posted April 28, 2021 on March my mom asking me to open a webinar on a legitimate website i didnt notice i misclick a malicious adware the browser did stop it at first because of certificate i guess but becasue my mother is late and making me to hurry up for the webinar and i know its a legitimate website i continued it redirected to another site then lots of colordialog popups at that time i was still using the mcaffee lifesave trial that came with the laptop it was able to block something but there still popup and the adware is design only to show when your cursor is near on the menu and can easily be misclick if its a little higher browser extension at that time was mcaffee webadvisor, ghostery, comodo onlinesecurity (i didnt installed noscript on my moms useraccount) spywareblaster was also installed if it matter and comodo securedns after that i did full scan of mcaffeee, malwarebytes, superantyspyware, comodo cleaning esentials, windows defender nothing was found i only installed avast free when mcafee was nearing end of trial did fullscan before installing avast I noticed browsers (and one time windows update already gone) having "managed by organization" even though its my mother personal laptop Just Recently searching in google for this laptop im getting this msg only wit this laptop other device doesnt Our systems have detected unusual traffic from your computer network. This page checks to see if it's really you sending the requests, and not a robot. Why did this happen? the legitimate website in virustotal link https://www.virustotal.com/gui/url/fdd28d74fd4c5372c7717f7154c74f5bd4019f1d1d99165093692b9f465dc52a/detection the adware detected by malwarbyte browser guard detected after the incident Virustotal link https://www.virustotal.com/gui/url/932c17558fd1206665ff8bfaf1545adb02cfd617945cb536ea496d664a929a69/detection Malwarebytes detected a few files, one in firefox profile as Malware.Heuristic.1001 and few in windows/assembly as Malware.Heuristic.1003 that I am hesitant to quarantine that it may break it, (it still being detected even today) any suggestion on how to copy the one in assembly without deleting it Attached FRST Log Addition log Mbam old log Mbam Full log Apr 25,2021 (GMT+8) Zemana Log system Win10 Home vesion 20h2 19042.928 Lenovo Ideapad amd r3 4300u 4g ram Avast Free just recently updated to 21.3.2459 (build 21.3.6164.657) previous AV Mcaffee LifeSave Trial that came with laptop Windows Defender Periodic scanner Mode installed antimalware malwarebytes free spywareblaster free superantispyware Comodo Cleaning Esential (if you consider this installed) Emisoft Emergency Kit (recently) Zemana Antimalware (just recently) browser addons comodo online security avast online security malwarbytes browser guard ghostery trafficlight (just recently) Addition.txt FRST.txt mbamFull(Apr25-2021).txt mbamold(Apr23-2021).txt zemanalog.txt quar.zip Link to post Share on other sites More sharing options...
kevinf80 Posted April 28, 2021 ID:1453815 Share Posted April 28, 2021 Hello kitmub and welcome to Malwarebytes, Can you run FRST one time, make sure account has Administrator status. Also to run FRST right click on the executable and select "Run as Administrator" ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done attach the new logs. "FRST.txt" and "Addition.txt" to your reply.... Next, Please download the correct portable version (32-bit or 64-bit) of RogueKiller for your system and save the file to your computer Desktop. Right-click on the RogueKiller file and select Run as administrator to start the tool. Click Yes to accept the UAC security warning that may appear. Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open. Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button. When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed. Then click on Report button. Click Export button and select "Text file". Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it. Click the Finish button and close RogueKiller window. Attach the produced log into your next reply. Thank you, Kevin.. Link to post Share on other sites More sharing options...
kitmub Posted April 29, 2021 Author ID:1454000 Share Posted April 29, 2021 The Google search message is now gone ( though i cant go to comodo fourm but can go to comodo i heard there are intemitent problem comodo side) there was an internet interruption last night i restarted the router and already have a different Public IP address note: there are 2 Standard user, 1 Admin Acct, (2 other accidentaly created haven't open those acct yet) Attached 2 set of FRST log "AdminPriv(FRST/Addition).txt" one using the Admin Acct w/ Admin Privilege "User(FRST/Addition).txt" using the Standard User Acct w/ run as Admin RKLog run as admin no detection Mbam log Recent it still detect the Assembly Files AdminPrivAddition.txt AdminPrivFRST.txt MbamApr292021.txt RKlog.txt UserAddition.txt UserFRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 29, 2021 ID:1454005 Share Posted April 29, 2021 Hiya kitmub, Thanks for those logs, continue with the following: Upload a File to Virustotal Go to http://www.virustotal.com/ Click the Choose file button Navigate to the file C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\93E98B6A215CDAD81C34E86B5BDF4667\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the URL address back here please. Repeat the above steps for the following files C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\CF3A0E487C7F33C1F049525CCC17E50F\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\0FF1FA2AADA73DC0FCA30AF8B2EC8F74\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\E5FEDDA81ED7688A4567CF92DF140436\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL Thank you, Kevin... Link to post Share on other sites More sharing options...
kitmub Posted April 29, 2021 Author ID:1454092 Share Posted April 29, 2021 7 hours ago, kevinf80 said: Hiya kitmub, Thanks for those logs, continue with the following: Upload a File to Virustotal Go to http://www.virustotal.com/ Click the Choose file button Navigate to the file C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\93E98B6A215CDAD81C34E86B5BDF4667\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the URL address back here please. Repeat the above steps for the following files C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\CF3A0E487C7F33C1F049525CCC17E50F\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\0FF1FA2AADA73DC0FCA30AF8B2EC8F74\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\E5FEDDA81ED7688A4567CF92DF140436\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL Thank you, Kevin... Sadly i cant seem to scan it with virustotal it wont let me select it or even copy the file to upload it even using admin unless there are other way to copy it Attach screenshot showing selecting the file Link to post Share on other sites More sharing options...
kevinf80 Posted April 29, 2021 ID:1454097 Share Posted April 29, 2021 Can you update Malwarebytes, when complete try another scan. Are the files still flagged as malicious...? Link to post Share on other sites More sharing options...
kitmub Posted April 30, 2021 Author ID:1454221 Share Posted April 30, 2021 found a way to get the files you need to use the "Run" to get to the Assembly folder it is still being detection logs & Files Attached detection zip password is 123 the Virustotal URL Quote C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\93E98B6A215CDAD81C34E86B5BDF4667\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.EXCEL.HOSTADAPTER.V10.0.NI.DLL https://www.virustotal.com/gui/file/41872849a69061749fd23039e7514c7b24e3396c968ce8da510d1165788c4c40/detection C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\CF3A0E487C7F33C1F049525CCC17E50F\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.HOSTADAPTER.V10.0.NI.DLL https://www.virustotal.com/gui/file/f476befc12f66b566b667699d042b4a316e78b8a91914b5552a3480293a60eb9/detection C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\0FF1FA2AADA73DC0FCA30AF8B2EC8F74\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.OUTLOOK.HOSTADAPTER.V10.0.NI.DLL https://www.virustotal.com/gui/file/2fcbd4553b1c042bb430e37371761ebf70dc1936023db7640ab90ba9de82011e/detection C:\WINDOWS\ASSEMBLY\NATIVEIMAGES_V2.0.50727_32\MICROSOFT.VISUALSTU#\E5FEDDA81ED7688A4567CF92DF140436\MICROSOFT.VISUALSTUDIO.TOOLS.OFFICE.WORD.HOSTADAPTER.V10.0.NI.DLL https://www.virustotal.com/gui/file/2a4b683020929fb461b7956efb382a7d50189ac480b141e32b8cfda50c9c3250/detection Detections.zip MbamNewApr302021.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 30, 2021 ID:1454233 Share Posted April 30, 2021 Hiya kitmub, I believe these detections are False positives (FP) i`ll move your thread over to FP file section, maybe @miekiemoes or @shadowwar will comment.. Thank you, Kevin.. Link to post Share on other sites More sharing options...
Staff Solution shadowwar Posted April 30, 2021 Staff Solution ID:1454267 Share Posted April 30, 2021 These should be fixed now. Please give 10 mins for it to take effect. 1 Link to post Share on other sites More sharing options...
kitmub Posted May 1, 2021 Author ID:1454433 Share Posted May 1, 2021 Ok confirmed its no longer being detected Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now