blackhole5334 Posted May 9, 2021 ID:1455789 Share Posted May 9, 2021 Help, please! I've ran MalwareBytes. 16 items were quarantined, but it's still showing and AVG blocked something named HEUR, but I accidentally clicked too fast because my computer is lagging really bad. I've included the latest FRST logs. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 9, 2021 ID:1455793 Share Posted May 9, 2021 Hi @blackhole5334 Can you please look on your AVG history & get that last report ? That would help a lot. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 9, 2021 ID:1455795 Share Posted May 9, 2021 I will guide you as we go along. Please always just only attach any reports I ask for. The next thing I suggest is: To Close all web browsers. Close any apps of yours that you now have open on-screen. Then do a Full scan with the AVG antivirus. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 10, 2021 Author ID:1455973 Share Posted May 10, 2021 Okay, so in AVG quarantine was IDP.HEUR.23 file name startmenufix.vbs Location System32\oem and HTML:EvilCursor-B file name This computer is BLOCKED.html Location was in Downloads folder. Since doing the Deep scan 3 Adw named Win32:Mobiame-C was moved from the Recycling Bin to quarantine. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 10, 2021 ID:1455987 Share Posted May 10, 2021 Thank you for that. Now let's do this scan next. In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈 🔻 Then click on Quarantine selected. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 We will do more, later. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 10, 2021 Author ID:1456019 Share Posted May 10, 2021 I had already done that, yesterday, but I did another. I'm including both reports. The one named 'report' is from today. report 5-9-21.txt report.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 10, 2021 ID:1456051 Share Posted May 10, 2021 Thank you. Today's Malwarebytes scan result is reassuring. A different scan now. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 11, 2021 Author ID:1456289 Share Posted May 11, 2021 It took a while, but finally finished. It found 1 pup, and I don't know what it is. Here's the log. esetlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 12, 2021 ID:1456498 Share Posted May 12, 2021 ESET tagged that 1 EXE file as a potentially unwanted app. ( P U A ). It is deleted. . The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download You may select Quick scan from scan option. Let me know the result of this. The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 12, 2021 Author ID:1456518 Share Posted May 12, 2021 Came up clean. msert.log Link to post Share on other sites More sharing options...
blackhole5334 Posted May 12, 2021 Author ID:1456523 Share Posted May 12, 2021 I went to Add/Remove Apps and I see "Browser Assistant" 21.7MB. This is the app flagged by MB the first time, iirc, or at least 'browser assistant' and 'BA' were in the name. I do not know what this is, and I'm almost sure this is where the trojan came from. Should I just click uninstall or do I need to do something else? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 12, 2021 ID:1456526 Share Posted May 12, 2021 Yay. No infection reported by the MS SAFETY Scanner. Yay. . Yes, uninstall 'Browser Assistant's. You will also want to Close any open web browser. Later, restart browser if needed. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 12, 2021 ID:1456527 Share Posted May 12, 2021 Next steps after the last post. Let me suggest you do one scan with Adwcleaner to check for adwares. First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 12, 2021 Author ID:1456529 Share Posted May 12, 2021 I knew it. I had a feeling this would happen. That’s why I asked you if I should just click uninstall. It released it. I got the “please wait while Windows configured Browser Assistant”, and it took a few mins, then AVG pops up saying “ Threat Blocked We’ve blocked pssEC0B.ps1 because it was infected with IDP.ALEXA.53” Right before that, I had already disconnected from the internet, because it was lagging on that uninstall window. I’m sending this from my phone. I quarantined with AVG. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 12, 2021 Author ID:1456530 Share Posted May 12, 2021 There were 4 total. Sorry I don’t know how to edit message here. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 13, 2021 ID:1456588 Share Posted May 13, 2021 pssEC0B.ps1 sounds like a Powershell script. AVG ought not to prevent the running of Adwcleaner. Also internet connection needs to be on. Please try again to get & Run Adwcleaner. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 13, 2021 Author ID:1456623 Share Posted May 13, 2021 No, you misunderstood. I hadn't tried to run Adwcleaner yet. I tried uninstalling "Browser Assistant", and it released the Powershell trojan again. For reference, there were a total of 4 files, named pssxxxx.ps1. The X's being different for each file. I ran a deep scan with AVG, which came back clean. I also ran MB again, which also came back clean. And I ran Adwcleaner, which found 1 PUP. I attached the Adwcleaner logs. AdwCleaner[C00].txt AdwCleaner[S00].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 13, 2021 ID:1456678 Share Posted May 13, 2021 (edited) Hi. Thanks for the C Clean report from Adwcleaner. Use Option One , or Two of this article to set Windows File Explorer to show all files https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html . As a next step, to checkout your system a bit more, a scan with Sophos. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: . Memory, including system memory on 32-bit (x86) versions of Windows . The Windows registry . All local hard drives, fixed and removable . Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Please be sure to attach that log. Cheers. Edited May 13, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
blackhole5334 Posted May 14, 2021 Author ID:1456845 Share Posted May 14, 2021 It came back clean. SophosVirusRemovalTool.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 14, 2021 ID:1456871 Share Posted May 14, 2021 Hi. That is good. You may go into Windows Settings >>> Programs & Features and Uninstall Sophos. Tell me, How is it going today ? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 14, 2021 ID:1456904 Share Posted May 14, 2021 Here are tips on keeping your web browsers safer. Please make time and read all of this. apply the tips. See this article on our Malwarebytes Blog https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". . If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. . For the Windows EDGE browser, use it to go to that same link above, & install that Browser Guard onto it, too. . For Mozilla Firefox, to get & install the Malwarebytes Browser Guard Firefox extension. Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ Then proceed with the setup. That link is for English US. There are other language version. Just go to the very bottom right of the page and look at “Change language” list drop down. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 14, 2021 Author ID:1456918 Share Posted May 14, 2021 It's doing much better. I haven't got the cmd prompt at startup in a couple days now. Thank you very much for all your help. I really appreciate what you guys and gals do here. Thank you. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 14, 2021 Solution ID:1456919 Share Posted May 14, 2021 You are very welcome. I have a small custom script for this pc, with main goal to run the Windows System File Checker tool to test for integrity , & also to remove 2 traces of McAfee app. . Fixlist.txt The script Fixlist.txt needs to be saved to the same folder that contains FRST64.exe / you have yours saved on Downloads The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Please save the (attached file named) FIXLIST.txt to the Downloads folder Start the Windows Explorer and then, to the Downloads folder. RIGHT-Click on FRST64 & select Run as Administrator IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Please know this will do a Windows Restart. Just let it do its thing. Do let me know how things are overall, after all this. Link to post Share on other sites More sharing options...
blackhole5334 Posted May 14, 2021 Author ID:1456950 Share Posted May 14, 2021 Well, things are good. Except for an unrelated hdd issue, which lags because it runs 100% most times. But I'm almost sure that's because the computer has been dropped before. The popups and other lag issues caused by malware are gone. Here's the fixlog. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 14, 2021 ID:1456978 Share Posted May 14, 2021 Thanks for the log. The results of the Windows System File Checker & Windows DISM tools are all fine. A good run, except for the 60 minutes of the time to run. It should have been a lot less. . Make very sure to do a full Backup of this system to offline local media, like a large size portable USB backup drive. Do that real soon. . Is this a laptop / notebook ? You noted it was dropped. Your remark about HDD suspicions are of potential concern. Be cautious if you have reason to suspect a problem on HDD. Review the scheduled tasks & all auto started apps that auto load at Windows startup. I would suggest doing what we in the community call a "clean boot startup". The goal being here to find which apps you do not need to autostart. How to perform a clean boot in Windows https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows . On a separate factor, Please create a new System Restore point and then run the following Open an Elevated Admin Command prompt and type in the following ECHO Y|CHKDSK C: /F That will set a disk check to run on restart of the computer. 1 Link to post Share on other sites More sharing options...
Recommended Posts