NuggetIsBad Posted August 21, 2021 ID:1476134 Share Posted August 21, 2021 I have seen some other forums have solved this but I need some ones help. I already have the farbar scans so I will add then here. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 21, 2021 ID:1476140 Share Posted August 21, 2021 Hello My name is Maurice. I will guide you. Let me know what nickname you prefer to go by. As we go along, just attach reports ( just like you did above). I would like to see full details from Malwarebytes for Windows. Please download MBST Support tool. https://downloads.malwarebytes.com/file/mbst Go to the Downloads folder. With your mouse pointer, do a Right-click on the mb-support.1.8.4.xxx.exe file & choose "Run as Administrator" & reply Yes & allow it to proceed. Once you start it click Advanced > Gather Logs Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Cheers. Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476141 Share Posted August 21, 2021 mbst-grab-results.zip Here they are Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 21, 2021 ID:1476148 Share Posted August 21, 2021 (edited) Thank you. There seems to be one questionable file under your user-sub-folder ( seemingly for Discord) that is the one being flagged by Malwarebytes for Windows on a real-time protection "flag event". We can get that deleted. I will guide you. First, some starter steps, to get us started. Please do all of these, as much as possible. [ 1 ] Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] This pc also has Mcafee LiveSafe as well as having the trial Malwarebytes. Make one adjustment on Malwarebytes. This will not affect its protections while in trial, nor later. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes Premium 😃. Close Malwarebytes. [ 3 ] Small housekkeping. Empty Windows Recycle Bin. See guide at this MS link https://support.microsoft.com/en-us/windows/empty-the-recycle-bin-in-windows-10-d4c8f8ef-a12e-8250-b0cf-2311960a31f9 Earlier, Malwarebytes had one issue with 1 file there. [ 4 ] Get ready to manually delete 1 questionable file. You can do this. On the Windows taskbar , on the Windows search box, type in cmd.exe and then look at the entire list of choices, and click on Run as Administrator. Once the Command prompt window is up, copy > paste the line in the codebox below into the command-window It is best to use COPY & Paste for the following. All of each line as-is del /s /q C:\Users\kadew\AppData\Local\Discord\app-1.0.9002\ErrorReport.exe tap Enter to have it proceed. Watch to see that it does succeed. Meaning, I want to know detail in case there is some "error" or exception notice. . [ 5 ] This too is do-able. Use Windows Explorer and navigate the C drive from the LEFT-side left-hand navigation Tree. Expand the C drivve. We want to get to this sub-folder C:\Users\kadew\AppData\Local now RIGHT-click with your mouse pointer and select "Scan with Malwarebytes". Have this special scan proceed. Hopefully if will catch any other leftover malware or P U P Edited August 21, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476151 Share Posted August 21, 2021 So I put in the command and it said that it could not find the file. Also when I went into the user portion on step 5 there is now appdata. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 21, 2021 ID:1476153 Share Posted August 21, 2021 Go slow, careful , deliberate Go back to C drive now only just find C:\users expand that view Now look user kadew subfolder Now expand some more and look for sub-folder appdata Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476154 Share Posted August 21, 2021 I dont see it still but I dont know what that bottom file is either. Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476155 Share Posted August 21, 2021 Okay I managed to find it now there are three option roaming, LocalLow, and Local. Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476156 Share Posted August 21, 2021 So I was in the folder just looking and errorreport suddenly popped up, malware bytes saw it and deleted it then it was gone. Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476158 Share Posted August 21, 2021 I think it found the culprit I will let you know if I get any more notifications about errorreport.exe. Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476159 Share Posted August 21, 2021 Ok seems that was not the end of it I am still getting notifications that errorreport.exe is being removed. Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 21, 2021 ID:1476162 Share Posted August 21, 2021 I want to convey that display screen grabs from Malwarebytes like in the next-to last preceding post of yours do not show real complete full details. If it was from a block event, I need the actual log out of history. If it is a scan result, I need the actual Scan report out of history. That is to say, there are 2 types of reports. One is from a Scan. The other type is a DETECTION or REAL Time Protection event. The 2 types are discussed / describe here https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows and note, we always want the Advanced report. Please keep that in mind. . I was hoping you could do that context-menu scan off of C:\Users like I tried to reuqst on post above Use Windows Explorer and navigate the C drive from the LEFT-side left-hand navigation Tree. Expand the C drivve. We want to get to this sub-folder C:\Users\kadew\AppData now RIGHT-click with your mouse pointer and select "Scan with Malwarebytes". Have this special scan proceed. Hopefully if will catch any other leftover malware or P U P [ Further and in addition ] You should do this special scan. In Malwarebytes for Windows program, we want to do a special scan. Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476163 Share Posted August 21, 2021 Here is the report from the scan with rootkits on. Report.txt Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476164 Share Posted August 21, 2021 I am now doing a scan of the appdata folder which will take quite a bit longer Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476166 Share Posted August 21, 2021 Here is the appdata report. AppData Report.txt Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476169 Share Posted August 21, 2021 It appears every 5 minutes in that folder through discord. Its been happening for hours. Link to post Share on other sites More sharing options...
NuggetIsBad Posted August 21, 2021 Author ID:1476173 Share Posted August 21, 2021 not sure what happened but I havent gotten a notification for a while 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 22, 2021 ID:1476234 Share Posted August 22, 2021 Good morning. I appreciate the reports you have sent. I plan to lead you thru a series of additional scans. The one below is the first. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan. Then start the scan. Have lots of patience. It may take several hours. Let me know the result of this. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted August 22, 2021 Solution ID:1476238 Share Posted August 22, 2021 Adding a note related to a very out of date program. Java 8 Update 281 is a old release from Oracle & poses a potential security risk exposure. Please take time to Uninstall it. Your Windows system really does not need it. But if you do have some added application that really truly needs Java, then in that case, you can get the very latest release. See this how to link https://securitygarden.blogspot.com/2021/07/oracle-java-se-security-update-released.html Orcale release security updates on a quarterly basis. Out of date Java is one potential vector for bad actors to facilitate a malware infection to get in. Take care of this at your next opportunity. . As to the main issue at hand. Note that Microsoft Defender antivirus flagged C:\Users\kadew\AppData\Local\Discord\app-1.0.9002\ErrorReport.exe several times on the 21st. Category: Potentially Unwanted Software Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following:https://go.microsoft.com/fwlink/?linkid=37020&name=PUA:Win32/CoinMiner&threatid=227033&enterprise=0 Name: PUA:Win32/CoinMiner . ANOTHER file is flagged by MS Defender as a severe threat. Look for this file C:\Users\kadew\Downloads\Kiwi V2 - Linkvertise Downloader_v-J6r31.exe If still around, then Delete it. Severity: Severe Category: Trojan Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following:https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Spursint.F!cl&threatid=2147717281&enterprise=0 Name: Trojan:Win32/Spursint.F!cl Link to post Share on other sites More sharing options...
Maurice Naggar Posted August 28, 2021 ID:1477208 Share Posted August 28, 2021 Good afternoon. How is the situation on this computer ? Have you seen my 2 preceding replies ? Link to post Share on other sites More sharing options...
Recommended Posts