Jump to content

Malwarebytes Premium allowed 2 Trojans on to my PC twice recently!


Recommended Posts

Malwarebytes Premium allowed 2 Trojans on to my PC twice recently!

I found and "removed" these trojans by doing a full scan with MSERT.

I have come on here because I am alarmed that Malwarebytes didn't find or notice these trojans and apparently are not aware of them.

The trojans are:- Trojan:XML/Phish!MSR and Trojan:XML/Phish.J!eml

This is not my area of excellence but as I have done a full fresh reinstall of Win10 between the two infections I have some suspisions as to where they came from. The prime contender is my fresh reinstallation of the game World of Tanks. Normally when updating WoT Malwarebytes interjects several times saying it has blocked this or that trojan but not during this latest full installation or during the last update before I reinstalled Windows. The other possible contenders are perhaps one of my browser AddOns or the site that Ghostery directed me to to try out their bew beta secure browser. That link took me to a page with a dodgy address which one of my new AddOns block/redirected me from.

 

Can you please help me with this as I don't want to have to replace Malwarebytes as my antivirus/antimalware program and I really don't want to reinstall Windows and everything else again. Also, if they came from World of Tanks - this needs to be flagged up to the gaming community at least.

My PC is supposedly clean at the moment but if Malwarebytes isn't aware of these trojans - it cannot defend me from them!

 

1.png

Link to post
Share on other sites

  • Root Admin

Hello @1001

Can you please attach the Microsoft Safety Scanner log so that we can review it?

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

 

Then we'd also like to get logs from Malwarebytes to review.

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

From your screenshot, the infections seem to be a phishing email. Malwarebytes does not scan email.

I have moved your post so a malware removal expert can assist you to be sure you are fully clean.

If you have not already, please change the following setting to off in Malwarebytes so that Windows Defender is active as well.

 

2021-05-14_15h47_23.png

Link to post
Share on other sites

Thank you Porthos for that setting. I had wondered about Malwarebytes taking over my antivirus protection from Defender. Did Malwarebytes deliberately take over from Defender or has something dodgy caused that? By the way - MSERT also found and removed this:- VirTool:Win32/DefenderTamperingRestore (temporarily only as it keeps coming back) saying that it is malware. I wonder if this has been generated by Malwarebytes taking over from Defender.

I am not so sure I received the trojans via email. I am pretty careful about that. The only emails I have opened in the last few days are from seemingly reputable companies. 

Is it possible that they didn't get into my PC via email?

Link to post
Share on other sites

@1001

These are not trojans that "infect".  Let's look at what you found and let's break it down.

Quote

The trojans are:- Trojan:XML/Phish!MSR and Trojan:XML/Phish.J!eml

 

  • It is a Phish.  This is not an executable that infects a PC with malware.  It is a Social Engineering exercise to get you, the victim, to provide credentials to some kind of account like a bank account or and email account.
  • The !eml suffix indicates this to be an email.  The .J indicates a variant where there are at least A ~ J variations of the type of Phishing content.
  • The XML prefix indicates it is a structured text.

So what you have indicated is Windows Defender found email that basically contained a Phish.  Malwarebytes' software does not target email content unless that email contains a malicious executable attachment.

Link to post
Share on other sites

56 minutes ago, AdvancedSetup said:

Hello @1001

Can you please attach the Microsoft Safety Scanner log so that we can review it?

 

Then we'd also like to get logs from Malwarebytes to review.

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

 

Thank you

 

Hello Advanced Setup,

I couldn't find the log for MSERT (screenshot attached).

I've run Malwarebytes Support Tool (zip file attached).

While reading this replies on this thread I did a scan with Defender and it pointed out an issue which I didn't rectify until the MST had finished (screenshot attached).

 

 

a2.png

a1.png

mbst-grab-results.zip

Link to post
Share on other sites

38 minutes ago, David H. Lipman said:
  • It is a Phish.  This is not an executable that infects a PC with malware.  It is a Social Engineering exercise to get you, the victim, to provide credentials to some kind of account like a bank account or and email account.
  • The !eml suffix indicates this to be an email.  The .J indicates a variant where there are at least A ~ J variations of the type of Phishing content.
  • The XML prefix indicates it is a structured text.

So what you have indicated is Windows Defender found email that basically contained a Phish.  Malwarebytes' software does not target email content unless that email contains a malicious executable attachment.

Thanks David

Good info to know. :)

Link to post
Share on other sites

  • Root Admin

ATTENTION: System Restore is disabled (Total:111.24 GB) (Free:73.35 GB) (66%)

Please enable System Protection and create a new System Restore Point

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Hi AdvancedSetup,

while reading your last post I did a full scan with Defender and it has found the attached trojan. I haven't taken any action yet.

I have had a long day and my eyes are tired and my brain fuzzy - would you care to share my screen and take over as I can see this might get protracted.

 

a3.png

MB rpt 1.txt

Link to post
Share on other sites

Sorry AdvancedSetup, Defender was running while I did the MB scan that I have posted the report from.

Shall I do it again? Would you like to see other reports before I made the change that Porthos suggested?

Link to post
Share on other sites

  • Root Admin

Go ahead and get some rest and we can pick back up this over the weekend or on Monday if you like.

You can also run another 3rd party antivirus scan and see if they detect anything or not.

But, run the other programs and post back all the logs this weekend

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

Hi again AdvancedSetup,

I hate to say it but I couldn't work out how to turn off either Defender or Malwarebytes but ran the scans anyway. (I already posted the MB scan log above, the others are  attached)

I  should also admit that I don't know how to enable System Protection and create a new System Restore Point either.  I can build a PC though ;)

 

I didn't restore the file that ESET found. Not sure if I should. I have only just signed up to Surfshark VPN so I am a total noob regarding their settings etc.

 

Thanks

a4.png

FRST.txt Addition.txt AdwCleaner[S00].txt

Link to post
Share on other sites

  • Root Admin

This is the file that Windows Defender did not like

C:\Users\admin\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\6\Attachments\Amazon-Service-Center[1352].docx

Are you still having an alert or issue from Windows Defender anymore now?

Here is an article on how to turn on System Protection

https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html

Let me know if there are still any issues

 

Link to post
Share on other sites

On 5/15/2021 at 2:35 AM, AdvancedSetup said:

This is the file that Windows Defender did not like

C:\Users\admin\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\6\Attachments\Amazon-Service-Center[1352].docx

Are you still having an alert or issue from Windows Defender anymore now?

Here is an article on how to turn on System Protection

https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html

Let me know if there are still any issues

Hi AdvancedSettings,

I hope you had a good weekend.

Does the "tenforums" web address mean anything to you? (I don't recognise it or know anything about it)

My ISP (BT) have just emailed me to tell me that my "Web Protect" (a security service they provide) has been turned off by me. Now, I haven't turned it off but I have signed up to Surfshark VPN a few days ago so perhaps Surfshark's settings/software has inadvertantly turned off the Web Protect. Either that or someone else has turned it off.

 

Have you any clue about the above?

 

Thanks

Link to post
Share on other sites

  • Root Admin

The Tenforums site I linked to shows you how to enable System Protection

As for your ISP I'd need to know more specifically the exact name of the product, service, etc that they're talking about. Using VPN can and does bypass your immediate connection to your ISP so that may be what they're talking about.
 

Link to post
Share on other sites

In my last post I quoted the wrong thing. I meant to quote the line from your later post starting with "C:/Users/admin... etc". Do I need to take action on that?

I haven't restored the "cleaned" file found and quarantined by ESET, should I? Is it now safe?

It might be a good idea to re enable BT's Web Protect, so yes I would be interested in that if it's not too much bother for you. I guess I will have to then enable it at my BT account end too.

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Windows Defender should have taken care of that file for you already.

Let's go ahead though and have you run the Microsoft Safety Scanner and see what it finds and we'll go from there.

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

Windows Defender should have taken care of that file for you already.

Let's go ahead though and have you run the Microsoft Safety Scanner and see what it finds and we'll go from there.

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

Just ran a Full MSERT scan. Report attached.

msert.log

Link to post
Share on other sites

  • Root Admin

Okay, please click on Search and type in PowerShell and when it shows, right-click and choose "Run as administrator" then copy/paste the following and post back the results

Get-MpThreatDetection

Then this one

Get-MpComputerStatus

Then this one

Get-MpPreference

Thanks

 

Link to post
Share on other sites

ActionSuccess                  : True
AdditionalActionsBitMask       : 0
AMProductVersion               : 4.18.2104.14
CleaningActionID               : 3
CurrentThreatExecutionStatusID : 0
DetectionID                    : {9BB3E85F-EEF8-4F1A-A21B-8347CB3E03CD}
DetectionSourceTypeID          : 1
DomainUser                     : THUG\admin
InitialDetectionTime           : 14/05/2021 23:20:46
LastThreatStatusChangeTime     : 14/05/2021 23:38:44
ProcessName                    : Unknown
RemediationTime                : 14/05/2021 23:38:44
Resources                      : {file:_C:\Users\admin\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\6\Attachments\Amazon-
                                 Service-Center[1352].docx}
ThreatID                       : 2147772962
ThreatStatusErrorCode          : 0
ThreatStatusID                 : 4
PSComputerName                 : 

Link to post
Share on other sites

PS C:\Windows\system32> Get-MpPreference


AllowDatagramProcessingOnWinServer            : False
AllowNetworkProtectionDownLevel               : False
AllowNetworkProtectionOnWinServer             : False
AttackSurfaceReductionOnlyExclusions          : 
AttackSurfaceReductionRules_Actions           : 
AttackSurfaceReductionRules_Ids               : 
CheckForSignaturesBeforeRunningScan           : False
CloudBlockLevel                               : 1
CloudExtendedTimeout                          : 1
ComputerID                                    : 43F9FFB8-42BC-41E5-BC38-3A9346106F8A
ControlledFolderAccessAllowedApplications     : 
ControlledFolderAccessProtectedFolders        : 
DisableArchiveScanning                        : False
DisableAutoExclusions                         : False
DisableBehaviorMonitoring                     : False
DisableBlockAtFirstSeen                       : False
DisableCatchupFullScan                        : True
DisableCatchupQuickScan                       : True
DisableCpuThrottleOnIdleScans                 : True
DisableDatagramProcessing                     : False
DisableDnsOverTcpParsing                      : True
DisableDnsParsing                             : False
DisableEmailScanning                          : True
DisableGradualRelease                         : False
DisableHttpParsing                            : False
DisableInboundConnectionFiltering             : True
DisableIntrusionPreventionSystem              : 
DisableIOAVProtection                         : False
DisablePrivacyMode                            : False
DisableRdpParsing                             : True
DisableRealtimeMonitoring                     : False
DisableRemovableDriveScanning                 : True
DisableRestorePoint                           : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles                   : False
DisableScriptScanning                         : False
DisableSshParsing                             : True
DisableTlsParsing                             : False
EnableControlledFolderAccess                  : 0
EnableDnsSinkhole                             : False
EnableFileHashComputation                     : False
EnableFullScanOnBatteryPower                  : False
EnableLowCpuPriority                          : False
EnableNetworkProtection                       : 0
EngineUpdatesChannel                          : 0
ExclusionExtension                            : 
ExclusionIpAddress                            : 
ExclusionPath                                 : 
ExclusionProcess                              : 
ForceUseProxyOnly                             : False
HighThreatDefaultAction                       : 0
LowThreatDefaultAction                        : 0
MAPSReporting                                 : 2
MeteredConnectionUpdates                      : False
ModerateThreatDefaultAction                   : 0
PlatformUpdatesChannel                        : 0
ProxyBypass                                   : 
ProxyPacUrl                                   : 
ProxyServer                                   : 
PUAProtection                                 : 1
QuarantinePurgeItemsAfterDelay                : 90
RandomizeScheduleTaskTimes                    : True
RealTimeScanDirection                         : 0
RemediationScheduleDay                        : 0
RemediationScheduleTime                       : 02:00:00
ReportingAdditionalActionTimeOut              : 10080
ReportingCriticalFailureTimeOut               : 10080
ReportingNonCriticalTimeOut                   : 1440
ScanAvgCPULoadFactor                          : 50
ScanOnlyIfIdleEnabled                         : True
ScanParameters                                : 1
ScanPurgeItemsAfterDelay                      : 15
ScanScheduleDay                               : 0
ScanScheduleQuickScanTime                     : 00:00:00
ScanScheduleTime                              : 02:00:00
SchedulerRandomizationTime                    : 4
SevereThreatDefaultAction                     : 0
SharedSignaturesPath                          : 
SignatureAuGracePeriod                        : 0
SignatureBlobFileSharesSources                : 
SignatureBlobUpdateInterval                   : 60
SignatureDefinitionUpdateFileSharesSources    : 
SignatureDisableUpdateOnStartupWithoutEngine  : False
SignatureFallbackOrder                        : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod                   : 120
SignatureScheduleDay                          : 8
SignatureScheduleTime                         : 01:45:00
SignaturesUpdatesChannel                      : 0
SignatureUpdateCatchupInterval                : 1
SignatureUpdateInterval                       : 0
SubmitSamplesConsent                          : 1
ThreatIDDefaultAction_Actions                 : 
ThreatIDDefaultAction_Ids                     : 
UILockdown                                    : False
UnknownThreatDefaultAction                    : 0
PSComputerName                                : 

Link to post
Share on other sites

PS C:\Windows\system32> Get-MpComputerStatus


AMEngineVersion                 : 1.1.18100.6
AMProductVersion                : 4.18.2104.14
AMRunningMode                   : Normal
AMServiceEnabled                : True
AMServiceVersion                : 4.18.2104.14
AntispywareEnabled              : True
AntispywareSignatureAge         : 0
AntispywareSignatureLastUpdated : 17/05/2021 13:09:40
AntispywareSignatureVersion     : 1.339.904.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 0
AntivirusSignatureLastUpdated   : 17/05/2021 13:09:39
AntivirusSignatureVersion       : 1.339.904.0
BehaviorMonitorEnabled          : True
ComputerID                      : 43F9FFB8-42BC-41E5-BC38-3A9346106F8A
ComputerState                   : 0
FullScanAge                     : 1
FullScanEndTime                 : 16/05/2021 18:13:50
FullScanStartTime               : 16/05/2021 17:55:16
IoavProtectionEnabled           : True
IsTamperProtected               : True
IsVirtualMachine                : False
LastFullScanSource              : 1
LastQuickScanSource             : 1
NISEnabled                      : True
NISEngineVersion                : 1.1.18100.6
NISSignatureAge                 : 0
NISSignatureLastUpdated         : 17/05/2021 13:09:39
NISSignatureVersion             : 1.339.904.0
OnAccessProtectionEnabled       : True
QuickScanAge                    : 1
QuickScanEndTime                : 16/05/2021 08:57:46
QuickScanStartTime              : 16/05/2021 08:57:24
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
TamperProtectionSource          : Signatures
PSComputerName                  : 
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.