Jump to content

Need to check if I'm clean


Go to solution Solved by kevinf80,

Recommended Posts

Hi,

I would very much appreciate some assistance in checking if everything is OK. Yesterday MWB warned me of a blocked website (see attached reports). The only time I've seen something similar (outbound) was earlier this spring when there was a false positive on Discord. Naturally I'm a bit worried. I've scanned with MWB and Windows Defender, and they both came out clean. So far it has only happened once, and I haven't noticed anything strange on my PC.

In regards to logs from FRST (if needed). I already have it on my desktop from earlier this year (FRST64) alongside a Fixlog and the folder FRST-OlderVersion, as well as a folder on my C:. Should I simply rename FRST64 to FRST64English and run it, or do I need to download it again?

Thank you and have a good day or night!

Regards,

Peter

mwb2_2021.txt mwb_2021.txt

Link to post
Share on other sites

Hello Pidd and welcome to Malwarebytes,

Disable smart screen only if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed only if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....

Next,

Lets grab some logs and see whats going on, continue with the following:

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Just ran the AdwCleaner. The scan took like 3 seconds and didn't find any PUPs or adware, but flagged Samsung SmartSwitch as a preinstalled program. I use this to update and backup my phone, and don't want to get rid of it. Do I leave it unchecked and press quarantine to continue?

adwcleaner.jpg

Link to post
Share on other sites

Hiya Pidd,

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Program Files\plugins.dat
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Next,

I see the following blocks have been set up in firewall rules:

FirewallRules: [TCP Query User{B3122A2D-510B-475F-922C-DD39E1DA3E38}C:\program files\airdc++\airdc.exe] => (Block) C:\program files\airdc++\airdc.exe (AirDC++ Team) [File not signed]
FirewallRules: [UDP Query User{79AA244D-C9CB-4E5E-9DAD-3892B81D275F}C:\program files\airdc++\airdc.exe] => (Block) C:\program files\airdc++\airdc.exe (AirDC++ Team) [File not signed]

Have the blocks ceased, or are they still happening even with those blocks inplace...

Thank you,

Kevin

 

Link to post
Share on other sites

Hi Kevin,

I can't find Program Files under my C:.

There's only been the one block yes, but the firewall rules have been there for a while. I haven't opened the program since the block happened. When we're done here and/if things are looking OK, I feel like uninstalling it is the way to go.

Let me know how I can find the plugins.dat file you're after, and I'll scan it and get back to you!

 

EDIT: found the file under C:\Programs. Link: https://www.virustotal.com/gui/file/ed704ca7b587bb8829d4115f3e98e85cdcd5e8cc53388ca35bcd2e492c6d9f43

 

EDIT2: All of a sudden MWB made an entirely different block just now. I opened a word document of mine (completely legit Office 365). What even is this? What does it mean?

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 9/17/21
Protection Event Time: 12:21 PM
Log File: 0b4dbeb1-17a1-11ec-96b3-244bfede9b26.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.45016
License: Premium

-System Information-
OS: Windows 10 (Build 19043.1237)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, ComSpec=C:\Windows\system32\cmd.exe, Blocked, 0, 392684, 0.0.0, , 

-Exploit Data-
Affected Application: Microsoft Office Word
Protection Layer: Application Behavior Protection
Protection Technique: Exploit Office WMI abuse blocked
File Name: ComSpec=C:\Windows\system32\cmd.exe
URL: 

(end)

 

Edited by Pidd
Link to post
Share on other sites

  • Root Admin

Open Malwarebytes, click the small gear on the top right and go to the Security tab.
Scroll down to the bottom and click the Advanced Settings button
Click on the Application behavior protection tab
Scroll down to "Office WMI abuse prevention" and uncheck it

 

image.png

image.png

 

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

Nothing to be concerned about.... Run the following scan:

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.


Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.

Open Zemana again then do the following to get the latest report

Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply....
Link to post
Share on other sites

Hi Kevin,

No more than the initial one block. And yes, I very much intend to uninstall it. I haven't opened it since the block and don't trust it anymore. Even if it turned out to be a false positive.

Thank you!

EDIT: I just uninstalled it. Nothing weird happened. When I checked the firewall settings, it still shows up though. Together with other uninstalled apps/games, so it doesn't seem to be out of place. Is there a way to remove it completely? Or maybe it doesn't matter. Still seems to be allowed in my public network, which is the one I'm using.

Edited by Pidd
  • Thanks 1
Link to post
Share on other sites

Hiya Pidd,

Thanks for the update, we can run a fresh scan with FRST and remove remnants with a subsequent fix...

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Thank you,
 
Kevin...
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.