Jump to content

Recommended Posts

Hi,

My father was reading the news on Microsoft News when he saw a link that appeared to be about the movie 'Pretty Woman'. When he clicked the link the window shown in the screen shot appeared. Malwarebytes Premium was running on his machine. I have run three system scans and all have completed without error. Can you help me find out what it is, where it came from and how to get remove it?

Unfortunately, my father didn't recognize the scam. When he realized it as a scam he contacted his bank and his accounts have been secured. (this is just backgound information to help you understand all that happened, so far.)

If you need any further information, then please let me know.

Best Regards,

Jack Miller

 

Malware 2022-01-19 225732.png

Addition.txt FRST.txt Malwarebytes Premium Log.txt

Link to post
Share on other sites

  • Root Admin

Good day @jackmillerjr

Yes, I can see the image and the logs are good now as well, thanks.

 

Please go into Control Panel, Programs, Programs and Features and uninstall the following.

  • Bonjour
     

 

 

Please consider renaming this computer host name to a different name.

https://support.microsoft.com/en-us/windows/rename-your-windows-10-pc-750bc75d-8ff8-e99a-b9dc-04dff566ae74

https://www.itechtics.com/4-ways-to-rename-computer-in-windows-10-quickly/

Application errors:
==================
Error: (01/19/2022 10:56:06 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Local Hostname JRMSR-HPLAPTOP.local already in use; will try JRMSR-HPLAPTOP-2.local instead

 

 

Your DNS Servers: 192.168.1.254

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

After you've corrected the above issues or concerns please run the following fix

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

My apologies for the delay. The status:

  • Remove Bonjour: Bonjour has been removed. This will have to be installed again after this fix is completed. Since the machine name has changed the Bonjour error should be solved.
  • Rename machine: The machine name has been changed and can remain changed.
  • Change DNS: My ISP has this configured on their Router and I cannot change it. I would like to change it, however it is not a setting that I can edit.
  • Run FRST64 with the provided fixlist.txt file: According to the fixlog.txt the fixing terminated because it exceeded 60 minute limit. I have attached the fixlog.txt.

I will leave things as they are until you direct me how to proceed.

Fixlog.txt

Link to post
Share on other sites

  • Root Admin
10 minutes ago, jackmillerjr said:

 

  • Remove Bonjour: Bonjour has been removed. This will have to be installed again after this fix is completed.
  •  
  • Change DNS: My ISP has this configured on their Router and I cannot change it. I would like to change it, however it is not a setting that I can edit.
  • You can change it in Windows. You don't have to change it on the router.

 

 

 

Why would you need to reinstall Bonjour? Unless you have an Apple TV it is noisy, poorly written software that shouldn't be on Windows. Even with an Apple TV you can still probably get it setup without Bonjour.

 

From the log, which is a good thing.

Windows Resource Protection found corrupt files and successfully repaired them.

 

I have created a new FIXLIST file to start where the old one left off. Please download this one as before.

Temporarily disable antivirus and run it. Then post back the new FIXLOG.txt file once it's completed running.

 

fixlist.txt

Thank you @jackmillerjr

 

Link to post
Share on other sites

  • Root Admin

Yes, we're not done @jackmillerjr the original fix I provided "should" have completed that fact it could not complete is itself something I'd recommend we continue to work on your computer.

Let's double-check your system with another antivirus scanner and see if they can detect anything we might be missing.

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Great, that looks good. The Kaspersky scanner was not able to find any other infections at this time. @jackmillerjr

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Excellent, glad to hear @jackmillerjr

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  4. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Please consider installing the following Content Blockers for your Web browsers if you haven't done so already.

Malwarebytes Browser Guard

uBlock Origin

 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

When using Kaspersky Virus Removal Tool 2020, please mind the following:

  • After the work of Kaspersky Virus Removal Tool is completed, the KVRT2020_Data folder remains on your computer (by default, it is located in C:\KVRT2020_Data).
  • If any problems occurred during the work of Kaspersky Virus Removal Tool, temporary files will be removed after the computer is restarted.
  • The drivers are unloaded after the system restart.

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.