Pidd Posted September 15, 2021 ID:1479957 Share Posted September 15, 2021 Hi, I would very much appreciate some assistance in checking if everything is OK. Yesterday MWB warned me of a blocked website (see attached reports). The only time I've seen something similar (outbound) was earlier this spring when there was a false positive on Discord. Naturally I'm a bit worried. I've scanned with MWB and Windows Defender, and they both came out clean. So far it has only happened once, and I haven't noticed anything strange on my PC. In regards to logs from FRST (if needed). I already have it on my desktop from earlier this year (FRST64) alongside a Fixlog and the folder FRST-OlderVersion, as well as a folder on my C:. Should I simply rename FRST64 to FRST64English and run it, or do I need to download it again? Thank you and have a good day or night! Regards, Peter mwb2_2021.txt mwb_2021.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 15, 2021 ID:1479959 Share Posted September 15, 2021 Hello Pidd and welcome to Malwarebytes, Disable smart screen only if it interferes with software we may have to use:https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8 Please remember to enable when we are finished.... Next, Disable any Anti-virus software you have installed only if it stops software we may use from working:https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ Please remember to enable AV software when we are finished running scans.... Next, Lets grab some logs and see whats going on, continue with the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Open Malwarebytes Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
Pidd Posted September 15, 2021 Author ID:1479961 Share Posted September 15, 2021 Thanks for getting back to me, Kevin! Please see the question about FRST in my post. Can I use my current one, and does it matter that I've used it before? Also, approximately how long does the AdwCleaner scan take? Link to post Share on other sites More sharing options...
kevinf80 Posted September 15, 2021 ID:1479962 Share Posted September 15, 2021 Delete FRST and d/l a fresh version. AdwCleaner scan time really depends on the size of your system, amount of data etc.. maybe 20 minutes... Link to post Share on other sites More sharing options...
Pidd Posted September 15, 2021 Author ID:1479968 Share Posted September 15, 2021 Simply rename FRST64 to "uninstall", am I remembering this correctly? I'll get you the FRST and AdwCleaner logs most likely tomorrow. Link to post Share on other sites More sharing options...
kevinf80 Posted September 15, 2021 ID:1479974 Share Posted September 15, 2021 No do not rename to uninstall, that is only needed to remove all of files and folders related to FRST and FRST itself. Just delete the executable from your desktop or downloads folder, or where you have it d/l to... Link to post Share on other sites More sharing options...
Pidd Posted September 16, 2021 Author ID:1480054 Share Posted September 16, 2021 Just ran the AdwCleaner. The scan took like 3 seconds and didn't find any PUPs or adware, but flagged Samsung SmartSwitch as a preinstalled program. I use this to update and backup my phone, and don't want to get rid of it. Do I leave it unchecked and press quarantine to continue? Link to post Share on other sites More sharing options...
kevinf80 Posted September 16, 2021 ID:1480056 Share Posted September 16, 2021 Yes just untick and leave it installed if you use it. AdwCleaner will remove preinstalled bloatware, usually classed as unwanted or needed extras... Link to post Share on other sites More sharing options...
Pidd Posted September 16, 2021 Author ID:1480059 Share Posted September 16, 2021 Alright, logs from FRST and AdwCleaner attached. The logs from MWB can be found in the first post. Thank you! AdwCleaner[S00].txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2021 ID:1480307 Share Posted September 17, 2021 Hiya Pidd, Upload a File to Virustotal Go to http://www.virustotal.com/ Click the Choose file button Navigate to the file C:\Program Files\plugins.dat Click the Scan it tab If you get a message saying File has already been analyzed: click Reanalyze file now Copy and paste the URL address back here please. Next, I see the following blocks have been set up in firewall rules: FirewallRules: [TCP Query User{B3122A2D-510B-475F-922C-DD39E1DA3E38}C:\program files\airdc++\airdc.exe] => (Block) C:\program files\airdc++\airdc.exe (AirDC++ Team) [File not signed] FirewallRules: [UDP Query User{79AA244D-C9CB-4E5E-9DAD-3892B81D275F}C:\program files\airdc++\airdc.exe] => (Block) C:\program files\airdc++\airdc.exe (AirDC++ Team) [File not signed] Have the blocks ceased, or are they still happening even with those blocks inplace... Thank you, Kevin Link to post Share on other sites More sharing options...
Pidd Posted September 17, 2021 Author ID:1480308 Share Posted September 17, 2021 (edited) Hi Kevin, I can't find Program Files under my C:. There's only been the one block yes, but the firewall rules have been there for a while. I haven't opened the program since the block happened. When we're done here and/if things are looking OK, I feel like uninstalling it is the way to go. Let me know how I can find the plugins.dat file you're after, and I'll scan it and get back to you! EDIT: found the file under C:\Programs. Link: https://www.virustotal.com/gui/file/ed704ca7b587bb8829d4115f3e98e85cdcd5e8cc53388ca35bcd2e492c6d9f43 EDIT2: All of a sudden MWB made an entirely different block just now. I opened a word document of mine (completely legit Office 365). What even is this? What does it mean? Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 9/17/21 Protection Event Time: 12:21 PM Log File: 0b4dbeb1-17a1-11ec-96b3-244bfede9b26.json -Software Information- Version: 4.4.6.132 Components Version: 1.0.1453 Update Package Version: 1.0.45016 License: Premium -System Information- OS: Windows 10 (Build 19043.1237) CPU: x64 File System: NTFS User: System -Exploit Details- File: 0 (No malicious items detected) Exploit: 1 Malware.Exploit.Agent.Generic, ComSpec=C:\Windows\system32\cmd.exe, Blocked, 0, 392684, 0.0.0, , -Exploit Data- Affected Application: Microsoft Office Word Protection Layer: Application Behavior Protection Protection Technique: Exploit Office WMI abuse blocked File Name: ComSpec=C:\Windows\system32\cmd.exe URL: (end) Edited September 17, 2021 by Pidd Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 17, 2021 Root Admin ID:1480387 Share Posted September 17, 2021 Open Malwarebytes, click the small gear on the top right and go to the Security tab. Scroll down to the bottom and click the Advanced Settings button Click on the Application behavior protection tab Scroll down to "Office WMI abuse prevention" and uncheck it Link to post Share on other sites More sharing options...
Pidd Posted September 17, 2021 Author ID:1480388 Share Posted September 17, 2021 Thank you @AdvancedSetup! I'm assuming it's safe to uncheck it :) Have a good night/day, and I'll wait for Kevin to get back to me with my actual problem. I do appreciate you stepping in clearing Office thingy, made me slightly less worried! Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2021 ID:1480400 Share Posted September 17, 2021 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
Pidd Posted September 17, 2021 Author ID:1480404 Share Posted September 17, 2021 Hi Kevin, What does it do? Just tbought I'd ask before running it.. Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2021 ID:1480409 Share Posted September 17, 2021 It will find the file "plugins.dat", open and post what it contains to a log... No changes are made.. Link to post Share on other sites More sharing options...
Pidd Posted September 17, 2021 Author ID:1480412 Share Posted September 17, 2021 Oh, I did end up finding it and I uploaded it to virustotal. I copy'd the link to my earlier reply. Or is this another step? Sorry for the many questions! Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2021 ID:1480426 Share Posted September 17, 2021 Run the frst fix so I can see what the data file holds... Link to post Share on other sites More sharing options...
Pidd Posted September 17, 2021 Author ID:1480427 Share Posted September 17, 2021 Log attached. Thanks! Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2021 ID:1480452 Share Posted September 17, 2021 Nothing to be concerned about.... Run the following scan: Please download Zemana AntiMalware and save it to your Desktop. Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Open Zemana again then do the following to get the latest report Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply.... Link to post Share on other sites More sharing options...
Pidd Posted September 17, 2021 Author ID:1480455 Share Posted September 17, 2021 There you go, logs attached. Thanks for helping me, I'm out for the day - good night! Zemana_report.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 18, 2021 ID:1480496 Share Posted September 18, 2021 Hiya Pidd, Do not see any obvious malware or infection in any of your logs. What is happening with the blocks, are they still happening..? Did you uninstall or still intend to uninstall AirDC++ Thank you, Kevin. Link to post Share on other sites More sharing options...
Pidd Posted September 18, 2021 Author ID:1480504 Share Posted September 18, 2021 (edited) Hi Kevin, No more than the initial one block. And yes, I very much intend to uninstall it. I haven't opened it since the block and don't trust it anymore. Even if it turned out to be a false positive. Thank you! EDIT: I just uninstalled it. Nothing weird happened. When I checked the firewall settings, it still shows up though. Together with other uninstalled apps/games, so it doesn't seem to be out of place. Is there a way to remove it completely? Or maybe it doesn't matter. Still seems to be allowed in my public network, which is the one I'm using. Edited September 18, 2021 by Pidd 1 Link to post Share on other sites More sharing options...
kevinf80 Posted September 18, 2021 ID:1480548 Share Posted September 18, 2021 Hiya Pidd, Thanks for the update, we can run a fresh scan with FRST and remove remnants with a subsequent fix... Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Thank you, Kevin... Link to post Share on other sites More sharing options...
Pidd Posted September 18, 2021 Author ID:1480550 Share Posted September 18, 2021 Thanks Kevin! Fresh logs attached. Hope they look good as well. Just a heads up, if I don't answer in time please don't lock the thread yet. I won't have access to my computer until Tuesday starting tomorrow. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Recommended Posts