Victorian1899 Posted December 23, 2021 ID:1494266 Share Posted December 23, 2021 Hello, I am wondering if someone can help me out. I am very concerned that I have some malware or a virus on my PC. A few days ago I accidentally clicked on a link in a legitimate looking email, but it was clearly not legit. This link opened up a url/web page that had a Server Error "404 - File or directory not found". Concerned that this might have allowed something malicious to be installed. I was running Windows Defender and nothing popped up at the time of clicking the link or while scanning a bit later on. I then installed Malware Bytes and reactivated Macafee Antivirus, which used to run on my PC. Neither Malware Bytes or Macafee detect anything while scanning. The computer had not appeared to be behaving strangely in the two days except for today, at the very moment of turning on Macafee VPN for the first time, a Malware Bytes message popped up stating "Website blocked due to compromised IP Address: <removed> Port: 500 Type: Outbound File: c:\Windows\System32\svchost.exe" I'm concerned that that a keystroke logger or something else malicious is running quietly in the background to steal my personal info. Any help would be much appreciated. Thx. Link to post Share on other sites More sharing options...
kevinf80 Posted December 23, 2021 ID:1494297 Share Posted December 23, 2021 Hello Victorian1899 and welcome to Malwarebytes, Lets grab some logs and see whats going on, continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Open Malwarebytes, select Target scope inside Scanner window, In the new window select "Reports" tab. All recent scan reports will be listed. Hover cursor over latest report (Indentified by date and time) you will see eye tab, download tab and recycle bin tab. Select "Download" tab, download, name and save report to place of your choice (recommend Desktop) Attach that report to your reply... Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply...If necessary do the following first Disable smart screen ONLY if it interferes with software we may have to use:https://support.microsoft.com/en-us/microsoft-edge/what-is-smartscreen-and-how-can-it-help-protect-me-1c9a874a-6826-be5e-45b1-67fa445a74c8 Please remember to enable when we are finished.... Next, Disable any Anti-virus software you have installed ONLY if it stops software we may use from working:https://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/ Please remember to enable AV software when we are finished running scans.... Thank you, Kevin Link to post Share on other sites More sharing options...
Victorian1899 Posted December 23, 2021 Author ID:1494360 Share Posted December 23, 2021 Thank you very much for looking into this Kevin. I have attached the 4 log files to this message. Addition.txt FRST.txt AdwCleaner[C00]Log .txt Malwarebytes_log.txt Link to post Share on other sites More sharing options...
Solution kevinf80 Posted December 23, 2021 Solution ID:1494385 Share Posted December 23, 2021 Hello Victorian1899, Not a great deal in those logs, continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download Sophos Scan and Clean and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take awhile to complete... You will have to register your name and email address to download the tool. You will also have to confirm your email address again each time the scan started... Found entries will have options to delete or quarantine, if you believe they maybe false positives you can change to ignore. A reboot maybe requested to remove difficult malware/infection, please allow that to happen Saved logs are found here: C:\ProgramData\Sophos\ScanandClean\Logs Let me see those logs in your reply... Thank you, Kevin. fixlist.txt Link to post Share on other sites More sharing options...
Victorian1899 Posted December 24, 2021 Author ID:1494517 Share Posted December 24, 2021 Hi Kevin. Attached are the Fix log and Sophos log file. Incidentally Sophos did not create a Logs directory with multiple files, but outputted a single log file in the Download directory where the process was run from. Hope this is ok. Fixlog.txt SophosScanAndClean_20211224_0048.log Link to post Share on other sites More sharing options...
kevinf80 Posted December 24, 2021 ID:1494551 Share Posted December 24, 2021 Hello Victorian1899, How is your PC responding now, any re,aining issues or concerns..? Thank you, Kevin. Link to post Share on other sites More sharing options...
Victorian1899 Posted December 24, 2021 Author ID:1494572 Share Posted December 24, 2021 Hi Kevin, my computer is and has been behaving normally since clicking on the phishing email that took me to the dead URL (server error 404). If it helps any, this occurred in the early hours of Dec 20, just after midnight. Is there any way to confirm 100% that no malware was installed? Am concerned about going back to do banking and other personal stuff where my information may be at risk. Link to post Share on other sites More sharing options...
kevinf80 Posted December 24, 2021 ID:1494574 Share Posted December 24, 2021 Hiya Victorian1899, I have not seen anything malicious in any of your logs, I do not see any reason to stop your normal usage of this PC... One more scan please: Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Thank you, Kevin. Link to post Share on other sites More sharing options...
Victorian1899 Posted December 24, 2021 Author ID:1494576 Share Posted December 24, 2021 Hi Kevin, attached is the msert.log file. msert.log Link to post Share on other sites More sharing options...
kevinf80 Posted December 24, 2021 ID:1494578 Share Posted December 24, 2021 Hello Victorian1899, Another clean log, continue to clean up: Download KpRm by kernel-panik and save it to your desktop. Right-click kprm_(version).exe and select Run as Administrator. When the tool opens, ensure all boxes are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. Please attach that log to your next reply. (Not Compulsary) Next, 1. How to create strong Passwords - https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/ 2. How to keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download 3. Keep your Operating System upto date and current - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 4. Answers to Security Questions and Best Pratices - https://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/ 5. Malwarebytes Browser Guard (Free) for Firefox, Chrome and Edge: https://support.malwarebytes.com/hc/en-us/articles/4402157637523-VIDEO-Set-Up-and-Use-Malwarebytes-Browser-Guard-Chrome-Edge-and-Firefox- Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
Victorian1899 Posted December 24, 2021 Author ID:1494601 Share Posted December 24, 2021 I have run the cleanup program and the log is attached. Before doing that, I ran the Microsoft Safety Scanner a second time, but this time doing a full scan instead of a quick scan. While running it was indicating that it found 5 infected files and since it was running for quite a while, I left the computer. When I came back, the scan had completed and displayed a message stating that the scan completed successfully and no viruses, spyware or other potentially unwanted software was detected. There was no mention of the 5 infected files on screen or in the log file which I have attached. Seems very strange. kprm-20211224135300.txt msert2.log Link to post Share on other sites More sharing options...
kevinf80 Posted December 25, 2021 ID:1494613 Share Posted December 25, 2021 Hiya Victorian1899, What you describe is strange, to clarify you need to fully understand how the Microsoft security apps actually operate, since that's part of why this sort of situation can be confusing to those who don't. The "Files Infected" count displayed on the Microsoft Safety Scanner, scan in progress screen or any of their other security products for that matter, is actually just a preliminary status indication that there are items which may contain malware. In many cases these specific items have been found in the past to be related to malware, but they are all really just small fragments that have matched signatures, but aren't yet truly confirmed as the specific malware that might include them. Near the end of the scanning process around 95% complete, the Microsoft scanners all perform a MAPS (Microsoft Active Protection Service) request via internet to the the Microsoft cloud servers in order to upload their initial findings and request confirmation that these findings are either truly malware or instead possible false positive detections or incomplete fragments of inactive malware. Though the entire process isn't displayed, the clues to this are the following 2 lines in the findings No infection found Successfully Submitted MAPS Report So what actually happened is that the scanner found possible malware fragments, communicated with the MAPS servers and confirmed there weren't any active malware that it can identify running and completed its operation by reporting these final results as well as uploading its reporting to MAPS as a record. This final step is important, since as I stated above "there weren't any active malware that it can identify running" on your device, but that doesn't necessarily mean there might not be something that Microsoft's Security Intelligence has yet to determine is a new form of malware. What this report does is allows Microsoft to collate this information within the automated MAPS cloud system and look for such possible new malware patterns, along with those from the millions of other Windows Defender and other scanners operating in real time on many systems. Are we ok to close out...? Thank you, Kevin. Link to post Share on other sites More sharing options...
Victorian1899 Posted December 25, 2021 Author ID:1494656 Share Posted December 25, 2021 Thanks for the detailed explanation and for all of your help Kevin. It's good that nothing showed up, but in some ways for peace of mind it might have been desireable if some malware was found and conclusively removed by one of the programs that we ran. In any case I will remain vigilant. Yes we can close out. Thanks again. Link to post Share on other sites More sharing options...
kevinf80 Posted December 26, 2021 ID:1494719 Share Posted December 26, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts