Jump to content

Recommended Posts

Hello,

I keep having Malwarebytes blocking a tentative of connection to a malicious website
I tried to scan many times but it seems that neither MalwareBytes nor Windows Defender can find it.
I first believed it was related to Adobe Creative Cloud (which I use with a legal and official version), but the trojan tried to access then from CC Cleaner, then from another temp file.

Could you help me with this issue ?
I've attached to this message the exported logfile of one attempt from the trojan

Thank you very much

trojanlog.txt

Link to post
Share on other sites

  • Root Admin

Hello @PommeDeTerre and :welcome:

Please go to Control Panel, Programs, Programs and Features and uninstall the following

  • Bonjour

 

Then run the following three steps in the provided order and we'll see what we can find to get you cleaned up.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Hello AdvancedSetup,

Thank you for such a quick reply.
I went through the steps you mentioned.
Nothing was found by MalwareBytes but 13 were found by AdwCleaner. I don't think they were any real PUP but I still quarantined them all.

Btw : AdwCleaner didn't restart automatically when I quarantined these elements, so I did it manually for extra safety.
Also when I first click on "view Log File" it caused AdwCleaner to enter in infinite loading and I had to stop the process manually after 10min to reopen it and get the logs.

The trojan is still here and try to access a website on startup, blocked by Malwarebytes each time, accessing from libs/node.exe from Adobe Creative Cloud Experience

Thanks,

Addition_2.txt FRST_2.txt MalwareBytes_Scan_1.txt ADWCleaner_Report_1.txt

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @PommeDeTerre

Okay, the computer has quite a few minor issues going on but let's get your version of Windows updated and see if that helps before we go too much further.

 

Your version: Windows 10 Pro Version 20H2 19042.1466
Current version: Windows 10 Pro Version 21H2 19044.1503

image.png

 

 

image.png

 

Please visit the following link and click on the button to update. Follow the onscreen prompts. This update may take a long time to complete.

https://www.microsoft.com/en-us/software-download/windows10

 

image.png

Once that update has been completed and the computer restarted then click on the Start / Search and type in "Check for updates"  and let Windows install any updates it finds.

You may need to repeat this more than once to get all updates.

 

Then once Windows has completed all updates please run the following and post back the log. I'll check back on you again tomorrow.

 

 

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Posting this for @PommeDeTerre because his post has been associated as spamming content, he can't send any message, even blank text. 

"I have updated Windows to the latest version and checked for all updates.
When I tried to run SecurityCheck however, I had to disable MalwareBytes or opening the exe - administrator or not - would just give me this error I've added in attachment.

When I launched SecurityCheck it fails to search for update because of internet connection and used local database instead.
I tried to enable my vpn but it seems the latest windows update broke the app and I need to reinstalll to get back a VPN adapter. However, when I tried to launch Astrill.exe (the vpn I use), the trojan tried to pass by this exe file again and MalwareBytes blocked it.
It looks like this Trojan tries to get through any exe file communicating with a server.

I've attached the scan results.
Thanks a lot for your help"

MB_Block_SecurityCheck.JPG

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

The log shows that only an NVIDIA experience driver is old, not  a big deal.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

Just ran the Kapersky scan, 0 threat were found.

Weirdly the trojan didn't get reported by MalwareBytes today, but I would be surprised it has disappeared just like that ^^.
Should I mention, I had a similar attempt to access the same website on another computer also from adobe node js yesterday.

Once we find the solution here I will go through the same process on my other pc.

report_2022.02.05_11.07.45.txt

Link to post
Share on other sites

  • Root Admin

I betting that the NODE.exe was a false positive. Let's do a couple more scans though just to make sure. @PommeDeTerre

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thanks

 

Link to post
Share on other sites

  • Root Admin

Great, that's a good thing. @PommeDeTerre  Two big name scanners did not find any ongoing infection. Let me have you run the three STEP process one more time so that we can verify clean as well as get a new set of logs to see what if any other ongoing issue might still be there.

 

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

  • Root Admin

We'll do resets another way. No need to have AdwCleaner do them at this time. @PommeDeTerre

 

Though you may trust Google - I'd recommend you read the information below before allowing Push Notifications from anyone.

CHR Notifications: Default -> hxxps://www.youtube.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please run the following fix

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hello AdvancedSetup,

Successfully ran the fix and my computer looks really clean.
I don't have any of this trojan attempt since I mentioned in my post "The trojan seems to have disappeared by itself", I guess some of the cleaning step was efficient !
I have also disabled the Chrome Push Notifications, as mentioned in the documentation you linked I probably allowed them without being aware of.

Could you let this topic open ? I will in my next replies do the same steps on my laptop that has a lot of these similar outbound connection attempts, and post the logs.
If you could write a fixlist for it too, it would help me greatly.

Thanks much for such a quick and efficient support, you are super pro at Malwarebytes team !

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Yes, you can post logs for another computer but let's finish this one first @PommeDeTerre

 

Secure Boot Status: False

If possible I would recommend that you enable Secure Boot

How to enable or disable Secure Boot
https://maxedtech.com/how-to-enable-or-disable-secure-boot/

 

The SFC program found and fixed some issue as seen in the log.

Windows Resource Protection found corrupt files and successfully repaired them.

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Thanks, that log look good. The Nvidia piece is out of date but many people don't use it.

As for the Secure Boot, yes I understand. Some computers make it very difficult to enable and use.

 

--------------------------- [ OtherUtilities ] ----------------------------
NVIDIA GeForce Experience 3.21.0.36 v.3.21.0.36 Warning! Download Update

 

Is there any other issues or concerns with this system now?

 

Link to post
Share on other sites

Thanks, I will update the Nvidia drivers.
Nothing more with this computer.

If possible I would like your help on my other computer which I believe the same malware spreaded too.
I have done all the previous steps until the Eset online scanner (included)

I have attached the logs, could you help me with the next steps ?

Thanks

SecurityCheck_1.txt Addition_1.txt AdwCleaner_1.txt ESETLog.txt FRST_1.txt MalwareBytes_1.txt report_2022.02.13_17.51.55..txt

Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features and uninstall the following @PommeDeTerre

CCleaner
 

 

CHR Notifications: Default -> hxxps://dnschecker.org

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Hello @PommeDeTerre

 

CCleaner was originally developed by Piriform (a company acquired by Avast in 2017) and had a  past of adding some undesirable features to the program.

Avast Software s.r.o. is a Czech multinational cybersecurity software company headquartered in Prague, Czech Republic

In July 2016, Avast acquired competitor AVG Technologies

In late 2019, Avast browser extensions were found to collect user data, including browsing behavior and history, and send it to a remote server. No concrete evidence was found to prove it.

In January 2020, a joint investigation by Motherboard and PCMag found that the Avast Antivirus and AVG AntiVirus Free version were collecting user data, which was being resold to personalize advertising through a subsidiary, Jumpshot. The leaked documents showed that Jumpshot offered to provide its customers with "Every search. Every click. On every site." than 100 million compromised devices. In response, Avast announced on January 30, 2020, that it would immediately shut down Jumpshot and cease all operations due to the backlash of its users' data privacy

On the basis of the information revealed, on 11 February 2020, the Czech Office for Personal Data Protection announced that it had initiated a preliminary investigation

On August 9, 2019, Broadcom Inc. announced they would be acquiring the Enterprise Security software division of Symantec for $10.7 billion, after having attempted to purchase the whole company. The sale closed on November 4, 2019, and subsequently, the company adopted the NortonLifeLock name.

On December 7, 2020, NortonLifeLock, formerly known as Symantec Corporation, announced the acquisition of Avira. The acquisition was closed in January 2021.

Basically, the software has traded ownership a few times, and now Windows 10 and 11 both provide more than enough internally builtin tools to perform just about any type of maintenance on the computer needed already without 3rd party software. Thus, most computer experts no longer recommend the product.

However, it's your choice if you want to keep and use it or not.

 

 

The FIXLOG looked pretty good overall. The SFC did find and fix some issues. That's a good thing.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Secure Boot Status: False

If possible it would be best to enable Secure Boot but in some cases, it's not always easy to enable on the computer.

How to enable or disable Secure Boot
https://maxedtech.com/how-to-enable-or-disable-secure-boot/

 

 

Please download and run the following program. NOTE: Windows SmartScreen or Windows Defender may alert or try to block it. The program is safe, please go ahead and download it and run it and post back the log.

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.