sp123 Posted December 6, 2021 ID:1491621 Share Posted December 6, 2021 (edited) MBAM's scheduled scan detected a Rogue.TechSupportScam registry key: tss_log.txt Instead of removing it, I ran a full system scan with MBAM, and I also ran Hitman Pro, Norton, Emsisoft Malware scan, and Windows Defender quick scan. No threats except that MBAM detected the same registry key. Security Check log: SecurityCheck.txt Note: The reason VirtualBox is out-of-date is because the latest version breaks everything FRST: FRST.txtAddition.txt MBAM full scan: MBAM-scan-log.txt(anything in the Shared or Lab folders can be ignored; those threats are not active and are part of my malware samples) The scan also detected these two .dll files, which I have attached. Both are VirusTotal clean. Files: false_positive.zip I went to the key specified but there was nothing there, which worries me. I ran a sfc scan, and it found no issues. As this doesn't scan for malware, it doesn't really mean much. It may - or may not - be relevant, but MBAB keeps showing these two prompts: These just popup while using my device. I scanned that IP with VT and Fortinet was the only one which detected it. There did seem to be some phishing domains on this IP, but the prompt doesn't mention a domain. Detection logs: 2_MBAM.txt1_MBAM.txt3_MBAM.txt I can provide more details as needed Edited December 6, 2021 by sp123 sfc scan Link to post Share on other sites More sharing options...
sp123 Posted December 6, 2021 Author ID:1491622 Share Posted December 6, 2021 (edited) [comment deleted] Edited December 6, 2021 by sp123 Link to post Share on other sites More sharing options...
kevinf80 Posted December 6, 2021 ID:1491631 Share Posted December 6, 2021 Hello sp123 and welcome to Malwarebytes, Run the following scan, lets see if anything shows up: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The tool will also make a log named (Addition.txt) Please also attach that log to your reply. If necessary: Disable smart screen ONLY if it interferes with software we may have to use:https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8 Please remember to enable when we are finished.... Next, Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ Please remember to enable AV software when we are finished running scans.... Thank you, Kevin 1 Link to post Share on other sites More sharing options...
sp123 Posted December 6, 2021 Author ID:1491632 Share Posted December 6, 2021 (edited) I already ran it, but re-ran from an admin account and the attached log(s) FRST.txt Addition.txt Edited December 6, 2021 by sp123 Corrected Link to post Share on other sites More sharing options...
kevinf80 Posted December 6, 2021 ID:1491667 Share Posted December 6, 2021 FRST.txt is not complete...? 1 Link to post Share on other sites More sharing options...
sp123 Posted December 6, 2021 Author ID:1491701 Share Posted December 6, 2021 (edited) 1 hour ago, kevinf80 said: FRST.txt is not complete...? Weird. Let me re-download and re-run FRST. Sorry for the inconvenience. Logs: Moved to new comment Addition.txt FRST.txt FRST.txt Edited December 6, 2021 by sp123 Link to post Share on other sites More sharing options...
sp123 Posted December 6, 2021 Author ID:1491707 Share Posted December 6, 2021 @kevinf80 logs: FRST.txtAddition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 6, 2021 ID:1491781 Share Posted December 6, 2021 Hiya sp123, Thanks for those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Please download AdwCleaner by Malwarebytes and save the file to your Desktop. https://downloads.malwarebytes.com/file/adwcleaner Right-click on the program and select Run as Administrator to start the tool. Accept the Terms of use. Wait until the database is ?updated. Click Scan Now. When finished, select any found entries then select Quarantine. An alert may show to show all processes will be closed before selected items are quaratined. Save anything important before progressing. A reboot maybe needed to finish up. Post the produced log when complete.. Next, Download Sophos Scan and Clean and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take awhile to complete... You will have to register your name and email address to download the tool. You will also have to confirm your email address again each time the scan started... Found entries will have options to delete or quarantine, if you believe they maybe false positives you can change to ignore. A reboot maybe requested to remove difficult malware/infection, please allow that to happen Saved logs are found here: C:\ProgramData\Sophos\ScanandClean\Logs Please attach the produced logs to your next reply. Thank you, Kevin fixlist.txt Link to post Share on other sites More sharing options...
sp123 Posted December 6, 2021 Author ID:1491792 Share Posted December 6, 2021 (edited) I ran the fixit and am have run the other tool, which only detected either FPs or files in my malware collection. Attached anyway SophosScanAndClean_20211206_1751.log Edited December 6, 2021 by sp123 Link to post Share on other sites More sharing options...
kevinf80 Posted December 6, 2021 ID:1491806 Share Posted December 6, 2021 Can I see the log from FRST fix.. Link to post Share on other sites More sharing options...
sp123 Posted December 6, 2021 Author ID:1491814 Share Posted December 6, 2021 Sorry - Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 7, 2021 ID:1491910 Share Posted December 7, 2021 That fix is from the second run of the fix, can I see the log from the first run please.. Link to post Share on other sites More sharing options...
sp123 Posted December 7, 2021 Author ID:1491911 Share Posted December 7, 2021 1 minute ago, kevinf80 said: That fix is from the second run of the fix, can I see the log from the first run please.. I think it deleted the first log Link to post Share on other sites More sharing options...
kevinf80 Posted December 7, 2021 ID:1491912 Share Posted December 7, 2021 What is the current status of your PC..? Link to post Share on other sites More sharing options...
sp123 Posted December 7, 2021 Author ID:1491924 Share Posted December 7, 2021 (edited) It works fine but it seems the notifications keep poping up: Edited December 7, 2021 by sp123 Link to post Share on other sites More sharing options...
sp123 Posted December 7, 2021 Author ID:1491925 Share Posted December 7, 2021 (edited) I found - could it be a FP? The VPN still works, and wasn't on when I got that notification, but maybe? I have quit PIA so will see if the notifications go away Edited December 7, 2021 by sp123 Link to post Share on other sites More sharing options...
kevinf80 Posted December 7, 2021 ID:1491932 Share Posted December 7, 2021 It certainly seems to be PIA causing the problem, see what happens with it OFF 1 Link to post Share on other sites More sharing options...
sp123 Posted December 7, 2021 Author ID:1491945 Share Posted December 7, 2021 (edited) 4 hours ago, kevinf80 said: It certainly seems to be PIA causing the problem, see what happens with it OFF I quit it, and despite two reboots and normal use of my device, the popups have not appeared again. As soon as I re-enabled it, the popups came back. Should I report the issue to the PIA devs or could it just be a MBAM FP? Edited December 7, 2021 by sp123 Link to post Share on other sites More sharing options...
kevinf80 Posted December 7, 2021 ID:1492000 Share Posted December 7, 2021 We need to upload a file to Jotti 1. Go here: http://virusscan.jotti.org/ to get to Jotti's site. Accept the cookie option. 2. Use the Browse button to locate the following file on your system:C:\Program Files\Private Internet Access\pia-client.exe 3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed. 4. Please provide me with the results of the analysis... Link to post Share on other sites More sharing options...
sp123 Posted December 7, 2021 Author ID:1492001 Share Posted December 7, 2021 Done. Uploaded to both VT and virusscan.jotti.org: pia-client.exe - Jotti's malware scan VirusTotal - File - 52ad74abf7ecc3b20bbc03e953dd8c001abee8f750c6567334d9e2e52028e352 Link to post Share on other sites More sharing options...
Solution kevinf80 Posted December 7, 2021 Solution ID:1492004 Share Posted December 7, 2021 As you suspect, looks very much like a false positive.. I`ll ask for advice from one of the admins..... 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492013 Share Posted December 8, 2021 Please gather MBST logs and post them back. To begin, please do the following so that we may take a closer look at your installation for troubleshooting: NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply Thank you Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492015 Share Posted December 8, 2021 Log: mbst-grab-results.zip However, the tool (without asking) reset my HOSTs file, which had several intentional modifications - including an (sadly outdated) version of my antimalware blocklist. Is there any way I can undo that? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted December 8, 2021 Root Admin ID:1492018 Share Posted December 8, 2021 The logs show 2710 entries in the logs and that it has not been modified since 2021-10-01 18:29 I am not aware of any modifications by the MBST tool to modify the hosts file. I could potentially see if from the Farbar tool but Kevin has already had you run it many times without it modifying it. From an elevated admin command prompt pleaes type the following and post back the results DIR /A C:\WINDOWS\system32\drivers\etc\hosts Link to post Share on other sites More sharing options...
sp123 Posted December 8, 2021 Author ID:1492035 Share Posted December 8, 2021 It said something about FRST - a notepad window poped up but I already closed it It's late so will check back on this in the morning Result: Link to post Share on other sites More sharing options...
Recommended Posts