Jump to content

Rough.TechSupportScam registry key?


sp123
Go to solution Solved by kevinf80,

Recommended Posts

MBAM's scheduled scan detected a Rogue.TechSupportScam registry key: tss_log.txt

Instead of removing it, I ran a full system scan with MBAM, and I also ran Hitman Pro, Norton, Emsisoft Malware scan, and Windows Defender quick scan. No threats except that MBAM detected the same registry key.

Security Check log: SecurityCheck.txt

Note: The reason VirtualBox is out-of-date is because the latest version breaks everything

FRST: FRST.txtAddition.txt

MBAM full scan: MBAM-scan-log.txt(anything in the Shared or Lab folders can be ignored; those threats are not active and are part of my malware samples)

The scan also detected these two .dll files, which I have attached. Both are VirusTotal clean. Files: false_positive.zip

I went to the key specified but there was nothing there, which worries me.

I ran a sfc scan, and it found no issues. As this doesn't scan for malware, it doesn't really mean much.

It may - or may not - be relevant, but MBAB keeps showing  these two prompts:

image.png.24b1572568d67e1525e026f2cd5d1e28.pngimage.png.df37997d5d3d41d1a07362badc1f83d0.pngimage.png.5bd64a9816f9b46987bec699aa70f74b.png

These just popup while using my device. I scanned that IP with VT and Fortinet was the only one which detected it. There did seem to  be some phishing domains on this IP, but the prompt doesn't mention a domain.
Detection logs: 2_MBAM.txt1_MBAM.txt3_MBAM.txt

I can provide more details as needed

 

Edited by sp123
sfc scan
Link to post
Share on other sites

Hello sp123 and welcome to Malwarebytes,

Run the following scan, lets see if anything shows up:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The tool will also make a log named (Addition.txt) Please also attach that log to your reply.


If necessary:

Disable smart screen ONLY if it interferes with software we may have to use:

https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8

Please remember to enable when we are finished....

Next,

Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:

https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Please remember to enable AV software when we are finished running scans....


Thank you,

Kevin
  • Like 1
Link to post
Share on other sites

Hiya sp123,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Please download AdwCleaner by Malwarebytes and save the file to your Desktop. https://downloads.malwarebytes.com/file/adwcleaner
  • Right-click on the program and select Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is ?updated.
  • Click Scan Now.
  • When finished, select any found entries then select Quarantine.
  • An alert may show to show all processes will be closed before selected items are quaratined. Save anything important before progressing.
  • A reboot maybe needed to finish up. Post the produced log when complete..


Next,

Download Sophos Scan and Clean and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take awhile to complete...

You will have to register your name and email address to download the tool. You will also have to confirm your email address again each time the scan started...

Found entries will have options to delete or quarantine, if you believe they maybe false positives you can change to ignore.

A reboot maybe requested to remove difficult malware/infection, please allow that to happen

Saved logs are found here: C:\ProgramData\Sophos\ScanandClean\Logs

Please attach the produced logs to your next reply.

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

4 hours ago, kevinf80 said:

It certainly seems to be PIA causing the problem, see what happens with it OFF

I quit it, and despite two reboots and normal use of my device, the popups have not appeared again. As soon as I re-enabled it, the popups came back.

Should I report the issue to the PIA devs or could it just be a MBAM FP?

Edited by sp123
Link to post
Share on other sites

We need to upload a file to Jotti

1. Go here: http://virusscan.jotti.org/ to get to Jotti's site. Accept the cookie option.

2. Use the Browse button to locate the following file on your system:

C:\Program Files\Private Internet Access\pia-client.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis...
Link to post
Share on other sites

  • Root Admin

Please gather MBST logs and post them back.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

The logs show 2710 entries in the logs and that it has not been modified since 2021-10-01 18:29

I am not aware of any modifications by the MBST tool to modify the hosts file.

I could potentially see if from the Farbar tool but Kevin has already had you run it many times without it modifying it.

 

From an elevated admin command prompt pleaes type the following and post back the results

DIR /A C:\WINDOWS\system32\drivers\etc\hosts

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.