I clicked on a .scr file, because it was renamed to .mp4

[SugarShaun]

Hi,

I clicked a .scr file, because it was named .mp4. I feel like such a moron, because I didn't check the file enough. I feel so dumb. Anyhow, I ran a malwarebytes scan before I clicked on it and it said there were no issues. I even ran a malwarebytes scan after I clicked on it and an avast scan, but nothing came up.

I even downloaded Adwcleaner and it found nothing.

I hit window+R and tried to go through my computer with regedit and I could find anything. I could find anything in the task manager. I read somewhere that some of these .scr trojans aren't in some databases and it's driving me nuts. I feel like I totally messed up and my computer is going to be encrypted and held for ransom. Or other things.

Would anyone be willing to look into the file and tell me what it changed on my computer? I could upload the file if need be. I'm so sorry to ask this, but I'm definitely losing sleep over my dumb mistake. It's totally my fault. I should have been more careful.

[kevinf80]

Hiya SugarShaun and welcome to Malwarebytes, Yes please upload the problem file to your next reply. Zip the file up first... Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The tool will also make a log named (Addition.txt) Please also attach that log to your reply. If necessary: Disable smart screen ONLY if it interferes with software we may have to use: https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8 Please remember to enable when we are finished.... Next, Disable any Anti-virus software you have installed ONLY if it stops software we may use from working: https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ Please remember to enable AV software when we are finished running scans.... Thank you, Kevin

[SugarShaun]

Hello, I greatly appreciate your reply. Thank you so, so much for trying to help!

I'm downloading Farbar right now! I had to look into it before downloading it. I'm a bit on edge right now. LOL! But, it seems safe, so thank you!

I will let you know the results. I will up load the .zip with the offending file and rest of the stuff I was sent.

I really, really appreciate your help!

Example_video_integration.zip

[SugarShaun]

Hello Kevin or anyone else interested,

Here are the Farbar results! I greatly appreciate your help. I am so grateful for people who are willing to take the time out to help others like this.

By the way, my computer name is steal, not because I'm a thief, but because I use the name StealSpeaks. It's based off of a username I have when gaming.

FRST.txt Addition.txt

[kevinf80]

Zip file is password protected..?

[SugarShaun]

Sorry, Kevin.

They sent me a password protected zip file. I should have included the password, but I forgot.

Here it is:

Password - magix

[kevinf80]

Where did the file come from, size is 556mb. File is definitely malicious and classed as a decompression bomb. I do not see any obvious Malwareor Infection in your logs. Run the following please and post the produced log:

Download Sophos Scan and Clean and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take awhile to complete... You will have to register your name and email address to download the tool. You will also have to confirm your email address again each time the scan started... Found entries will have options to delete or quarantine, if you believe they maybe false positives you can change to ignore. A reboot maybe requested to remove difficult malware/infection, please allow that to happen Saved logs are found here: C:\ProgramData\Sophos\ScaanandClean\Logs   Thank you,   Kevin

[SugarShaun]

Hello Kevin,

It's 556mb? WOW! I got it from an email. It was from a person I was talking to about advertisements. Anyhow, I wasn't asked if I wanted to install anything when I clicked it. I clicked it and nothing really happened.

You don't see anything in my system? I really hope it didn't install anything then! That would be great!

I ran the scan! I attached the logs!

Thank you so much!

SophosScanAndClean_20211201_0329.log

[SugarShaun]

Hey Kevin,

Did you look into what the .scr file installs on your computer? Would you give me the file names and where they are located so that I may manually search for them? 

That is if you could do something like that.

I want to be sure there's nothing weird on my computer. I really, really appreciate your assistance! Thank you so much!

 

[kevinf80]

I`d suggest you delete that file, I never actually opened it. I uploaded to a couple of websites I use for analysis, hence the result I posted to you. looking at your FRST logs your system appears to be clean, also you`ve ran Malwarebytes, AdwCleaner with no findings. Sophos has only flagged Cookies, nothing to be concerned about..

Run the following to check your system further:

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications. Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe If Microsoft SmartScreen blocks the download, click through to save the file This tool is safe. Smartscreen is overly sensitive. If SmartScreen blocks the file from running click on More info and Run anyway Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

[SugarShaun]

Hi Kevin,

Again, thank you so much for sticking with me through this. I totally deleted that file as soon as I realized what it was. I felt so dumb for clicking on it.

I appreciate you giving me a piece of mind. I still changed some passwords. LOL. 

What website do you use for analysis? That's awesome!

Here are the results of security check:

 

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 01.12.2021 04:19:14
Path starting: C:\Users\steal\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: steal
VersionXML: 9.29is-27.11.2021
___________________________________________________________________________

Windows 10(6.3.19042) (x64) Core Release: 2009 Lang: English(0409)
Installation date OS: 07.05.2021 06:04:49
LicenseStatus: Windows(R), Core edition The machine is permanently activated.
LicenseStatus: Office 16, Office16O365HomePremR_Subscription4 edition Timebased activation will expire :42765 minutes
LicenseStatus: Office 16, Office16O365HomePremR_Grace edition Windows is in Notification mode
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [464.6 Gb] Used: [405.9 Gb] Free: [58.7 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.789.19041.0
User Account Control enabled (Level 3)
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Avast Antivirus (enabled and up to date)
---------------------------- [ Firewall_WMI ] -----------------------------
Avast Antivirus (enabled)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Avast One v.21.10.2498
Malwarebytes version 4.4.10.144 v.4.4.10.144 Warning! Download Update
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft 365 - en-us v.16.0.14527.20276
NVIDIA GeForce Experience 3.24.0.123 v.3.24.0.123
Steam v.2.10.91.91
Epic Games Launcher v.1.1.279.0
------------------------------- [ Backup ] --------------------------------
Microsoft OneDrive v.21.220.1024.0005
------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 5.90 (64-bit) v.5.90.0 Warning! Download Update
------------------------------- [ Imaging ] -------------------------------
GIMP 2.10.22 v.2.10.22 Warning! Download Update
-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.0.0.309 Warning! Download Update
Zoom v.5.8.0 (1324) Warning! Download Update
-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.16
QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.
------------------------------- [ Browser ] -------------------------------
Google Chrome v.96.0.4664.45
Microsoft Edge v.96.0.1054.34
------------------ [ AntivirusFirewallProcessServices ] -------------------
aswbIDSAgent (aswbIDSAgent) - The service is running
C:\Program Files\Avast Software\Avast\aswidsagent.exe v.21.10.6772.0
C:\Program Files\Avast Software\Avast\aswEngSrv.exe v.21.10.6772.0
C:\Program Files\Avast Software\Avast\AvastUI.exe v.21.10.6772.0
C:\Program Files\Avast Software\Avast\afwServ.exe v.21.10.6772.0
C:\Program Files\Avast Software\Avast\AvLaunch.exe v.21.10.6772.0
AvastWscReporter (AvastWscReporter) - The service is running
C:\Program Files\Avast Software\Avast\wsc_proxy.exe v.21.4.6162.0
aswbIDSAgent (aswbIDSAgent) - The service is running
Avast Firewall Service (avast! Firewall) - The service is running
Avast Antivirus (avast! Antivirus) - The service is running
C:\Program Files\Avast Software\Avast\AvastSvc.exe v.21.10.6772.0
Avast SecureLine VPN (SecureLine) - The service is running
C:\Program Files\Avast Software\SecureLine VPN\VpnSvc.exe v.5.14.5808.0
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.4.0.0.1162
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.2.0.1005
Microsoft Defender Antivirus Service (WinDefend) - The service has stopped
Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Wondershare Helper Compact 2.6.0 v.2.6.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------
 

 

[kevinf80]

I use VirusTotal and Jotti for analysis purposes... http://www.virustotal.com/ http://virusscan.jotti.org/ From the security scan the following needs to be done: QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it. Malwarebytes version 4.4.10.144 v.4.4.10.144 Warning! Download Update WinRAR 5.90 (64-bit) v.5.90.0 Warning! Download Update Wondershare Helper Compact 2.6.0 v.2.6.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended Next, Download KpRm by kernel-panik and save it to your desktop. Right-click kprm_(version).exe and select Run as Administrator. When the tool opens, ensure all boxes are checked, and select Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. Please copy and paste its contents in your next reply. Next, 1. How to create strong Passwords - https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/ 2. How to keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download 3. Keep your Operating System upto date and current - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 4. Answers to Security Questions and Best Pratices - https://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/ 5. Malwarebytes Browser Guard (Free) for Firefox, Chrome and Edge: https://support.malwarebytes.com/hc/en-us/articles/4402157637523-VIDEO-Set-Up-and-Use-Malwarebytes-Browser-Guard-Chrome-Edge-and-Firefox- Take care and surf safe Kevin...

[SugarShaun]

Hello Kevin!

Again, you are really amazing and I really appreciate what you do. After I post this, I will be donating to your PayPal, because I do appreciate what you do for me and others.

Also, would you mind if I asked a few questions about malware? I'm interested in knowing more and you seem very knowledgable!

Anyhow, I don't know if I could remove quicktime, because I use protool and I think protools uses that for Mp3s or something. I will have to look into that. I remember it wanting me to download quicktime, but that was years ago. There maybe another solution to that.

I told Malwarebytes to check for updates. Or do I have to download a new version of Malwarebytes from their website?

I updated Winrar.

Wondershare Helper Compact is part of Filmora's Wondershare program. I use it to edit videos. I don't know if I can remove it without it causing me difficulties.

As for passwords, I use a program to create crazy passwords. I should definitely download Malwarebytes browser extension. Good looking out there!

What does patch my PC do? 

Also, I'm afraid to update my operating system. Sometimes, it causes problems. But, I do understand the security threat.

Here is the report from kpmr:

# Run at 12/1/2021 8:36:14 PM
# KpRm (Kernel-panik) version 2.9.2
# Website https://kernel-panik.me/tool/kprm/
# Run by steal from C:\Users\steal\Downloads
# Computer Name: DESKTOP-JE2FCR1
# OS: Windows 10 X64 (19042) 
# Number of passes: 1

- Checked options -

    ~ Registry Backup
    ~ Delete Tools
    ~ Restore System Settings
    ~ UAC Restore
    ~ Delete Restore Points
    ~ Create Restore Point
    ~ Delete Quarantines after 7 days

- Create Registry Backup -

   ~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
   ~ [OK] Hive C:\Users\steal\NTUSER.dat backed up

     [OK] Registry Backup: C:\KPRM\backup\2021-12-01-20-36-13

- Delete Tools -

  ## AdwCleaner
     [OK] C:\Users\steal\Downloads\adwcleaner_8.3.1.exe deleted

  ## FRST
     [OK] C:\Users\steal\Downloads\Addition.txt deleted
     [OK] C:\Users\steal\Downloads\FRST.txt deleted
     [OK] C:\Users\steal\Downloads\FRST64.exe deleted

  ## SecurityCheck
     [OK] C:\Users\steal\Downloads\SecurityCheck.exe deleted

- Other Lines -

  ## Quarantines that will be deleted in 7 days (2021/12/08)
    ~ C:\AdwCleaner (AdwCleaner)
    ~ C:\FRST (FRST)

- Restore System Settings -

     [OK] Reset WinSock
     [OK] FLUSHDNS
     [OK] Hide Hidden file.
     [OK] Show Extensions for known file types
     [OK] Hide protected operating system files

- Restore UAC -

     [OK] Set EnableLUA with default (1) value
     [OK] Set ConsentPromptBehaviorAdmin with default (5) value
     [OK] Set ConsentPromptBehaviorUser with default (3) value
     [OK] Set EnableInstallerDetection with default (0) value
     [OK] Set EnableSecureUIAPaths with default (1) value
     [OK] Set EnableUIADesktopToggle with default (0) value
     [OK] Set EnableVirtualization with default (1) value
     [OK] Set FilterAdministratorToken with default (0) value
     [OK] Set PromptOnSecureDesktop with default (1) value
     [OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

   ~ [OK] RP named Scheduled Checkpoint created at 11/20/2021 23:14:49 deleted
   ~ [OK] RP named Scheduled Checkpoint created at 11/29/2021 01:43:36 deleted
     [OK] All system restore points have been successfully deleted

- Create Restore Point -

     [OK] System Restore Point created

- Display System Restore Point -

   ~ RP named KpRm created at 12/02/2021 04:36:24

-- KPRM finished in 22.65s --

[kevinf80]

Hiya Shaun, PatchMyPC is an excellent application, once downloaded please read up at the website and watch the video for full instructions: https://patchmypc.com/home-updater#download Malware and/or infections are a daily problem for PC users, it is essential to keep all used applications and Operating systems current with updates and patches as and when required. PatchMyPC is a great tool for that action. Obviously downloading free software needs caution, as does opening links inside emails and other types of media messages. A big caution against using torrenting software and sites. It is a critical must to have a good security system, again that must also be kept up to date and current. I use Windows Firewall, Windows Defender and Malwarebytes Premium. Hope that helps you... Regards, Kevin.

[SugarShaun]

That does help, Kevin. Thank you! I will definitely check that latest link you sent me.

So, my PC seems like it's in the clear? When I clicked on the .scr file I got the blue spiny wheel like my computer was thinking, but nothing happened after that. Does that mean it didn't download? I wasn't asked if I wanted to make changes to my hard drive. So, that's good.

If hackers were to get malware on to someone's computer, how long do they usually wait until they trigger the malware script? Is it instant or do they wait a few days? I figured it would be instant, because it would be written in the code. I don't know if anyone would know that.

What type of attack was the .scr that was sent me? A crypto locker or a keystroke logger?

Anyhow, I appreciate your help, Kevin. Thank you so much for the service you provide the Malwarebytes community! 

[kevinf80]

Hiya Shaun,

There is no evidence in your logs to show the presence of any malware/Infection. If the file had been successfully opened you would have been aware very quickly...

A compression  bomb or better described as decompression bomb as it intiates when unzipped or decompressed, is sometimes also described as a zip bomb or zip bomb of death. This is a malicious archive file containing a large amount of compressed data. When the file is opened it is designed to crash the program that's reading it and generally wreak havoc on the rest of the system.
I do not believe this type of infection is designed to encrypt or harvest data, it is pure evil designed to break your computer and leave it unusable.

Does that help?

Regards,

Kevin

[SugarShaun]

Hello Kevin,

You mentioned it being a compression/decompression bomb. I totally forgot you called it that! Wow! Thank you for letting know how quick I would know the effects and thank you for reassuring me that my system should be fine. I appreciate that a lot.

Thank you for letting me know the purpose of such attacks too!

You've been very helpful and I appreciate your help and you taking the time to answer my questions. 

We're very lucky to have volunteers like you providing services! Again, thank you!

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you