Jump to content

Recommended Posts

  • Root Admin

When ready you can obtain the logs the following way @syllinx

 

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

If you still need further assistance with removal please let us know and we'll be happy to assist you

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

Please use the following tool then to get us the full set of logs @syllinx

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

I see now.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 11/12/21
Protection Event Time: 11:14 AM
Log File: 0da2bfe6-43dc-11ec-831d-00ffb93d1ffd.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.47144
License: Premium

-System Information-
OS: Windows 11 (Build 22000.318)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\SysWOW64\dllhost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: charlie.mail-input.info
IP Address: 104.21.74.22
Port: 80
Type: Outbound
File: C:\Windows\SysWOW64\dllhost.exe

(end)

 

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 11/12/21
Scan Time: 12:40 PM
Log File: f70269e2-43e7-11ec-90a8-00ffb93d1ffd.json

-Software Information-
Version: 4.4.10.144
Components Version: 1.0.1499
Update Package Version: 1.0.47148
License: Premium

-System Information-
OS: Windows 11 (Build 22000.318)
CPU: x64
File System: NTFS
User: DESKTOP-76UU6FO\Dad

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Cancelled
Objects Scanned: 177252
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 0 min, 35 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Backdoor.Remcos.E, HKU\S-1-5-21-795674982-3824527390-2081722903-1001\SOFTWARE\Remcos-MA40C8, Quarantined, 3807, 953056, 1.0.47148, , ame, , , 

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Root Admin

Hello @syllinx

Do  you know what or where this link is from?

"url" : "charlie.mail-input.info"

It is being blocked about a hundred times today from the logs

Did you install or visit any site like that, that you're aware of?

It also shows as malicious on VirusTotal

https://www.virustotal.com/gui/url/c2685469efdf32f0476fac2ebdf818808dd60f760db354411cc3c05030573c25?nocache=1

 

Does your Avast antivirus find anything in it's report?

 

You have, or had some type of miner installed. The file seems to be gone by the entry is still there as a Task

HKU\S-1-5-21-795674982-3824527390-2081722903-1001\...\Run: [electron.app.Cudo Miner] => C:\Program Files\Cudo Miner\desktop\Cudo Miner Desktop.exe --autolaunch (No File)

 

Link to post
Share on other sites

  • Root Admin

Let me run a clean up script with you and we'll see if that helps to correct this or not.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.  :\Users\Dad\Downloads\FRSTEnglish.exe
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run :\Users\Dad\Downloads\FRSTEnglish.exe and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • Root Admin

Possibly. The logs are not showing an obvious launch method. We can track it down though I'm sure if you have time to work with us on this.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

Thank you

 

Link to post
Share on other sites

  • Root Admin

The Microsoft scan didn't report finding anything. Only a tamper setting which is normal that it finds on all systems.

Please run the following

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thank you @syllinx

Does the backdoor entry still appear to be gone now?

 

Please uninstall, update, or otherwise address the following as appropriate for your system

 


------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.1.22000.0 Warning! Download Update
User Account Control enabled
The elevation prompt for administrators disabled
^It is recommended to enable (default): Win+R typing UserAccountControlSettings and Enter^

 

--------------------------- [ OtherUtilities ] ----------------------------
Microsoft .NET Framework 1.1 SP1 Warning! This software is no longer supported.

Microsoft Silverlight v.5.1.50918.0 Warning! This software is no longer supported.

 

Microsoft .NET Framework 1.1 Security Update (KB2698023) Warning! This software is no longer supported.

Microsoft .NET Framework 1.1 Security Update (KB2833941) Warning! This software is no longer supported.

Microsoft .NET Framework 1.1 Security Update (KB979906) Warning! This software is no longer supported.

Microsoft .NET Framework 1.1 Warning! This software is no longer supported.


-------------------------- [ IMAndCollaborate ] ---------------------------

Discord v.1.0.9002 Warning! Download Update

 


-------------------------------- [ Media ] --------------------------------

HandBrake 1.4.1 v.1.4.1 Warning! Download Update

 

--------------------------- [ AdobeProduction ] ---------------------------

Adobe Shockwave Player 12.0 v.12.0.7.148 Warning! This software is no longer supported. Please uninstall it.

 


---------------------------- [ UnwantedApps ] -----------------------------

Driver Booster 9 v.9.0.1 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

Smart Defrag 7 v.7.2.0.91 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering.

 

 

 

Edited by AdvancedSetup
updated information
Link to post
Share on other sites

  • 4 months later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.