BDensham Posted July 17, 2021 ID:1469828 Share Posted July 17, 2021 Downloaded Malwarebytes free version to see if it will clean it up. Taking wuite a while. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469829 Share Posted July 17, 2021 Hi My name is Maurice. Please attach the scan report from Malwarebytes after it is done. Please also do the other steps here https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/?tab=comments#comment-46166 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469832 Share Posted July 17, 2021 (edited) Hello. If what you suspect is true, this sounds like the STRRAT trojan. Did you recently get a email that made some "claim" or assertion about a ransom or some sort of threat? Did you open any such email ? Also, when did this pest first show up ? and do you have a Backup of this system from before this event ? I would hope you have a recent backup on offline storage . Edited July 17, 2021 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469833 Share Posted July 17, 2021 I don't think so. I don't open emails from unknown sources. I didn't clue in until recently but I've been shutting down PowerShells and MSBUILDs as well as changing browser proxy settings for a few weeks now. I have backups of important material and can recreate anything else I need. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469837 Share Posted July 17, 2021 IF you have a complete, recent system image / full backup, do consider doing a restore from that. as long, as you are sure that that backup is from before the start of this trojan infection. This infection is very serious and does involve the theft of passwords & potentially personal identifiers. After this event is squashed, you will need to change all your passwords to new , strong passwords ...but only on a clean machine. This infection could have been due to a drive-by browser use. or perhaps, due to getting some sort of dodgy "freeware" of some kind, or other download. Just let me know if you decide to restore from backup. or perhaps better yet, doing a clean rebuild of Windows, then doing new installs of your programs. and then getting your personal files off the Backup. 1 Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469839 Share Posted July 17, 2021 After running the software, I cannot find any other .txt files. Quarantine 7-17-21.txt Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469841 Share Posted July 17, 2021 MSBUILD is back. Running Farbar Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469843 Share Posted July 17, 2021 It would be helpful to get the 2 reports from FRST. Just so you know, it looks like you did not TICK all lines detected by Malwarebytes. I will guide you on that. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] Now a fresh new scan with Malwarebytes for Windows. In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 There will be much more to do after this. Please stick with me [ 3 ] If possible, Restart Windows into Safe mde. Then repeat the same scan just like # 2 above with Malwarebytes for Windows. I think you can do those 2 scans within something like 30 - 40 minutes. When all done, restart system into normal mode Windows. NOTE: There will be much much more to do. 1 Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469850 Share Posted July 17, 2021 Running Malwarebytes with all necessary boxes ticked (I hope) FRST.txt Addition_17-07-2021 14.40.38.txt Addition.txt FRST_17-07-2021 14.40.38.txt Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469852 Share Posted July 17, 2021 OK. I had already quarantined after the firs scan by Malwarebytes and the second scan came up empty. So, I have nothing left to upload. Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469853 Share Posted July 17, 2021 Malwarebytes.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469855 Share Posted July 17, 2021 see my P M and reply to it. I am in the process of working up the next procedure (s). 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469859 Share Posted July 17, 2021 Thanks for the Malwarebytes report. NEXT The custom script on this post is ONLY for this machine and NO other. Please Close / Exit any open work files ( if you have any ongoing at this point). Save any work. Exit out of other open apps that you yourself started at this session. This procedure will involve a Restart at the end of the run. Save this scrpt file named FIXLIST.txt to Downloads folder Fixlist.txt Using File Explorer, go to Downloads folder RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. Click on FIX button. You will see a green progress bar start. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. There will be more to do after this, so please, stick with me and as much as possible, stay current with this thread. I will get back with you as I have the opportunity. Kindly remember I am a volunteer here. 1 Link to post Share on other sites More sharing options...
BDensham Posted July 17, 2021 Author ID:1469867 Share Posted July 17, 2021 I appreciate all the help Maurice. Took three tries to get a scan in safe mode then it came back clean. Ran the Fix and attached the file. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 17, 2021 ID:1469870 Share Posted July 17, 2021 Aliright. We still have other scans to do, to check the system. By the way, the Windows System File Checker found some issues & made corrections. . This is a special tool to check your pc for viruses, trojans & other malware. Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Let me know what Sophos reports. 1 Link to post Share on other sites More sharing options...
BDensham Posted July 18, 2021 Author ID:1469933 Share Posted July 18, 2021 One threat found and dealt with. SophosVirusRemovalTool.log SophosVirusRemovalTool_cloud4.log SophosVirusRemovalTool_cloud4.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 18, 2021 ID:1469944 Share Posted July 18, 2021 Alright. We are done with Sophos VRT tool. Now to uninstall it. 1. Press & hold the Windows key on keyboard & then tap the R key to open the Run box-windoww. 2. Type appwiz.cpl and tap Enter. The Programs and Features window will appear. Locate on the list "Sophos Virus Removal". Do a right-click on it. Then choose Uninstall. Let it proceed. Exit Programs and Features. . The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan. Then start the scan. Have lots of patience. It may take several hours. Let me know the result of this. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. 1 Link to post Share on other sites More sharing options...
BDensham Posted July 18, 2021 Author ID:1469946 Share Posted July 18, 2021 Scanning Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 18, 2021 ID:1469953 Share Posted July 18, 2021 That is fine. Once started, you may take a long break. The full scan can take many hours. 😀 1 Link to post Share on other sites More sharing options...
BDensham Posted July 19, 2021 Author ID:1470028 Share Posted July 19, 2021 This is what I got msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 19, 2021 ID:1470138 Share Posted July 19, 2021 Good morning. That is excellent report from MS Safety Scanner. I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt 1 Link to post Share on other sites More sharing options...
BDensham Posted July 19, 2021 Author ID:1470144 Share Posted July 19, 2021 Voici SecurityCheck.txt Link to post Share on other sites More sharing options...
BDensham Posted July 20, 2021 Author ID:1470269 Share Posted July 20, 2021 Are we good? Not pushing, just curious. My computer is running much more quickly now. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted July 20, 2021 Solution ID:1470278 Share Posted July 20, 2021 Yes, the pc is good to go. That said, be aware that you ought to review closely the following list and get these drivers / apps / programs updated. These are what SecurityCheck indicates are outdated & might pose a security risk exposure. NVIDIA GeForce Experience 3.20.0.118 v.3.20.0.118 Warning! Download Update Dropbox 20 GB v.0.9.0 Warning! Download Update Microsoft Teams v.1.3.00.26064 Warning! Download Update Zoom v.5.5.2 (12494.0204) Warning! Download Update Spotify v.1.0.84.344.gfc674f6f Warning! Download Update Adobe Creative Cloud v.5.0.0.354 Warning! Download Update Mozilla Thunderbird 45.0 (x86 en-US) v.45.0 Warning! Download Update Windows Live Essentials v.16.4.3528.0331 Warning! This software is no longer supported. Music Manager Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it Google Video Support Plugin v.19.12.1000.0 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it . We can proceed with cleanup of tools we used. To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe. Then run that ( double click on it) to begin the cleanup process. Delete MBAR.exe Delete SecurityCheck.exe Any other download file I had you download, you may delete. I wish you all the best. Stay safe. You are very welcome. I am glad to have worked with you. Sincerely. Maurice 1 Link to post Share on other sites More sharing options...
BDensham Posted July 20, 2021 Author ID:1470310 Share Posted July 20, 2021 Thank you so much Maurice. Patient and knowledgeable. You have bean extremely helpful and I truly appreciate this. Please take care!. Brian Link to post Share on other sites More sharing options...
Recommended Posts