Jump to content

Malware keeps appearing when I connect back to the internet


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello :welcome:

My name is Maurice.

Much patience is needed throughout all of this. There often is not a single quick one step solution.

i will need some reports as well

 

Please download MBST

SAVE it first.

Once you start it click Advanced > Gather Logs

 once it is done. Attach the mbst-grab-results.zip from the Desktop.

Sincerely.

Link to post
Share on other sites

Hello.  Thanks for the report.

It seems to me that the newest latest scan with Malwarebytes reported no items as tagged.

Let's have you do a new run.

In Malwarebytes for Windows program, we want to do a special scan.

 

Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

 

Then click the Security tab.   

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

 

Click it to get it ON if it does not show a blue-color

.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

 

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

 

You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

 

Then, locate the Scan run report; export out a copy; & then attach in with your reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more, later. 

Link to post
Share on other sites

Regret to read of the trouble.

I sense your frustration.

Hang on, stay the course.

That scan that listed Bootkit.Pitou was done Scan Date: 5/27/21

Scan Time: 9:16 PM 

Note that it needed a Reboot in order to do the cleanup action.

Be sure to have done one Restart .

.

Then 

Next.  get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

Run the MBAR tool as listed here

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

 

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

 

Please attach both files in your next reply.

Thank you

Link to post
Share on other sites

Hi Maurice,

I ran the tool as adivised and said there was no requirement of a cleanup. Unfortunately I still keep getting pings of malware  when I connect to the internet.
I would like to point out that none of my personal files are encrypted and I have only been left with ransom notes in BIOS, $WinREAgent, OneDrive Temp and Reimage folders in my Windows C. Besides that my PC is responding slower than before. 

Regards,

T

mbar-log-2021-05-28 (10-56-48).txt system-log.txt

Link to post
Share on other sites

You had mentioned "PUP" at the beginning. Are those gone?  If not, is there any sort of description ?

 

You mentioned "ransom notes". Have you spotted any filenames ?

In the folders you mentioned, are there any Readme or _Readme ?

 

Stick with me. I will guide you. Ransom note files can be removed. I will guide you.

If the ransom notes show in the frame of a web browser, let me know which one.

Here are the next things to do.

(  1. )

Let's get Windows to SHOW ALL files & Folders.

Apply the Option One or Two of this guide :

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

( 2 )

Download Sophos Free Virus Removal Tool    and save it to your desktop.

 

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

 

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

  • Double click the icon and select Run
  • Click Next

Select I accept the terms in this license agreement, then click Next twice

  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)

 

Copy and paste the results in your reply

 

Close the Notepad document, close the Threat Details screen, then click Start cleanup

 

Click Exit to close the program

 

If no threats were found please confirm that result....

 

The Virus Removal Tool scans the following areas of your computer:

 

  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.
  • Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

we will do more later to hunt for & remove remaining malware.   :cool:

Edited by Maurice Naggar
Link to post
Share on other sites

Hi Maurice,
I do have  some news. A breath of relief for now. From the time of my reply to now I was on the hunt for the root cause of the malware re-appearing. 

I went on to task manager and i found an unknown application running in the backgroud- 5Kplayer or something (it didn't turn up in my control panel btw). I clicked on it to take me to its location, in the Windows folder under PublicGaming, and there was hiding a prun.exe. Once I deleted it (though I was worried if it was important), all the malware stopped entering once I connected to the internet and it has been a few hours since I have gotten any. I ran scans on the said folder and exe prior to deleting, but nothing turned up, said it was safe.

I also did run a scan using Microsoft Safety scanner- It told me 31 files were infected and showed a Hacktool.AutoKms

Now I'm not sure if my system is completey clean or not. I'm still paranoid to attach and USBs or devices. 

I'm still going to run the scans you have mentioned to see if something more turns up. 
Regards,

T

Link to post
Share on other sites

Please do run the Sophos tool.

Next 

Here is what I will need from your machine, so that I can do a fuller review & guide you.

 

Do Option One, or Option Two.  of this article do that Windows is set to SHOW all folders & files 

 

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

(  2  )

Please download the Farbar Recovery Scan Tool 64-bit and save it to your desktop.

Close your other open windows so that you have a clear view all around.

  • Right-click on FRST64.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

  • Windows 10 users may be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen.

Click YES when prompted by Windows U A C prompt to allow it to run.

  • Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

 

  • Click Yes when the *disclaimer* appears in FRST.

The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

 

  • Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
  • Press Scan button and wait.

 

The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt 

Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

 

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites

Thank you.

I have a custom script for this machine. It's main purpose is to remove several suspicious elements & to run the Windows System File Checker.

 

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved on F:\Softwares

 

The custom script on this post is ONLY for this machine and NO other.   

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting thi

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those

 

The system will be rebooted after the script has run.

 

  • Please save the (attached file named) FIXLIST.txt   to the  F:\Softwares

Fixlist.txt

  • Start the Windows Explorer and then, to the F:\Softwares folder
  • RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to 

run the tool.

  • If the tool warns you the version is outdated, please download and run the updated version

IF Windows prompts you about running this, select YES to allow it to proceed

 

IF you get a block message from Windows about this tool....

click line More info information on that scree

and click button Run anyway on next screen

 

  • on the FRST window

Click the Fix button just once, and wait

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally

The tool will complete its run after restart

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity 

Sincerely

Link to post
Share on other sites

Thanks for the Fixlog.

The Windows System File Check Checker did not find any system errors.

The _readme notes seem to be related to a STOP variant ransomware. Have you encountered user documents that could not be opened ?

.

Let's do one new scan.

In Malwarebytes for Windows program, we want to do a special scan.

 

Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

 

Then click the Security tab.   

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

 

Click it to get it ON if it does not show a blue-color

.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

 

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

 

You can actually click ( tick ) the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

 

Then, locate the Scan run report; export out a copy; & then attach in with your reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Let me know if you need other help.

Link to post
Share on other sites

Thanks for the scan report by Malwarebytes for Windows.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

Thanks for the report.  Note that there were 3 more sub-folders that had Win32/Filecoder.STOP trojan

.

We need to do different additional scan.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

From the Scan Option, please select " FULL " scan.

 

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Link to post
Share on other sites

Alright. The Safety Scanner scan of June 1 reports no infection.

.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

  • Solution

Hi. Thanks.

You may now uninstall the Sophos Virus Removal Tool . It is no longer needed.

NVIDIA GeForce Experience 3.4.0.70 v.3.4.0.70 Warning! Download Update

 

TeamViewer 14 v.14.4.2669 Warning! Download Update

 

Zoom v.5.4.9 (59931.0110) Warning! Download Update

 

TunnelBear v.4.1.1.0 Warning! This app can show ads.

 

Popcorn Time v.6.2.0.13 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

 

Wondershare Helper Compact 2.5.2 v.2.5.2 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

 

For added browser security !

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard. 

 

See Support article how-to 

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

 

Note: If your pc has Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard.

The Windows EDGE browser can also take the same Guard as the Chrome one.

Link to post
Share on other sites

I am glad to have helped.

we can proceed with cleanup of tools we used.

 

To remove the FRST  tool & its work files, do this.  Go to your F:\Softwares folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe

 

Then run that ( double click on it)  to begin the cleanup process.

Delete esetonlinescanner.exe

Delete SecurityCheck.exe

 

Any other download file I had you download, you may delete.   I wish you all the best.  Stay safe.

Sincerely.

Maurice

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.