Malicious disk image file (.iso)

[cnbehler]

I have Malwarebytes Premium 4.5.7. I suspect a malicious iso disk image file was downloaded when I clicked on a html file.  I saw it right away but couldn’t delete it since system reported it “in use”.  I rebooted my system but disk repair had to run first before I could log back in and successfully delete iso file. I ran Malwarebytes threat scan and nothing was found.  Then I ran custom scan. No issues detected in rootkits, memory, startup item or registry. BUT last scan of file system is still going after 42 hours with 1 Detection.  What should I do?

 

iclickcdn.txt

 

Edited April 16, 2022 by AdvancedSetup
Corrected font issue

[Maurice Naggar]

Hello @cnbehler What exactly is scanning? ""BUT last scan of file system is still going after 42 hours with 1 Detection""

[cnbehler]

It is scanning my C: Drive.  I finally stopped it, quarantined and removed the 1 detection it found (a PUP file that seems unrelated to the disk image problem), deleted a lot of old files, and restarted scan of C: drive (547 GB used).  New scan is still going at 26 hours with no detections.

[Maurice Naggar]

Just some remarks. A custom scan of C drive can well take many hours. The amount of time it can take much depends on a few things:
number of files on disc
the speed of the hardware, especially the type of disc.
Also keep in mind, the number and types of other running appliactions may also affect the run time.

[cnbehler]

I appreciate your help, Maurice.  This article describes what happened to me: https://borncity.com/win/2022/01/28/sans-isc-warnt-bsartige-iso-datei-in-html-seite-eingebettet-jan-2022/   

I opened an email with Order_Receipt.html because I had JUST ordered something online and then I opened the html file.  While I was looking at it, the REAL receipt for my order came in and I immediately knew something was wrong.  I found the .iso file in my downloads folder and attempted to delete it but I couldn't since system said it was in use (oh oh!).  I rebooted my system and when it re-started, it kicked off a disk repair action that took about 2-3 minutes.  After that, I deleted the .iso file (but forgot to note it's name before I did so).

I have Windows 10.  I've run Norton 360 and Malwarebytes Quick Scan several times and nothing was found. Now I'm running the custom scan for the second time.  No issues detected in rootkits, memory, startup item or registry. BUT last scan of file system (C: Drive) is still going after 42 hours with 0 Detection.

Any feedback on what I would see if the .iso file had infected my system, please?

[Maurice Naggar]

If scan is still running, then Close the app ( Cancel /exit out). Then Restart Windows and let the system settle in. Next to do. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

NEXT, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[cnbehler]

Will do - stay tuned.

[cnbehler]

Scan log attached

cnbehler ESET Scan Log.txt Scan log Contents & Screenshot.docx

[Maurice Naggar]

Thanks. Let's check your system with another ( different ) antivirus scan tool.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

• How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

• How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

• How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 

Select the    Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

[cnbehler]

Will do.Thanks for your continued help!

[cnbehler]

I think my system is virus-free!

 

CNBEHLER report_2022.04.20_08.20.10.klr.txt Post-Kapersky Viral Removal Screenshot (cnbehler).docx

[Maurice Naggar]

Bravo! Most excellent result from Kaspersky KVRT tool.  I would recommend getting a readout report as to update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[cnbehler]

Thanks, Maurice.  I couldn't get my system to let this file run so I'll quit while I'm ahead!  😄

You have been VERY helpful and I'm grateful!  Hope I don't have to tap your patience and knowledge again!  

[cnbehler]

One last request, please.  The Security.exe file from glax24 is in my downloads folder but I can't delete it, even though I'm the system administrator.  What should I do, please?

[Maurice Naggar]

I believe that this system is good to go. 

 This is the all clear for this case. This next tool is to cleanup the tools we used during this case. What follows is just a tools cleanup. It will also delete Securitycheck

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

[cnbehler]

I've got the tool installed and have a question about allowing ALL the actions.  Why would I delete restore points and the registry backup, unless the tool is "smart enough" to only delete the most recent versions of these files?

[Maurice Naggar]

Hello. If Kprm has completed its run, it has already made the adjustments. If it has not been run and you wish to not run it, then just delete kprm. And yes, kprm does have smarts. 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you