Jump to content

Malicious disk image file (.iso)


Go to solution Solved by Maurice Naggar,

Recommended Posts

I have Malwarebytes Premium 4.5.7. I suspect a malicious iso disk image file was downloaded when I clicked on a html file.  I saw it right away but couldn’t delete it since system reported it “in use”.  I rebooted my system but disk repair had to run first before I could log back in and successfully delete iso file. I ran Malwarebytes threat scan and nothing was found.  Then I ran custom scan. No issues detected in rootkits, memory, startup item or registry. BUT last scan of file system is still going after 42 hours with 1 Detection.  What should I do?
 
 
Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

It is scanning my C: Drive.  I finally stopped it, quarantined and removed the 1 detection it found (a PUP file that seems unrelated to the disk image problem), deleted a lot of old files, and restarted scan of C: drive (547 GB used).  New scan is still going at 26 hours with no detections.

Link to post
Share on other sites

Just some remarks. A custom scan of C drive can well take many hours. The amount of time it can take much depends on a few things:
number of files on disc
the speed of the hardware, especially the type of disc.
Also keep in mind, the number and types of other running appliactions may also affect the run time.

Link to post
Share on other sites

I appreciate your help, Maurice.  This article describes what happened to me: https://borncity.com/win/2022/01/28/sans-isc-warnt-bsartige-iso-datei-in-html-seite-eingebettet-jan-2022/   

I opened an email with Order_Receipt.html because I had JUST ordered something online and then I opened the html file.  While I was looking at it, the REAL receipt for my order came in and I immediately knew something was wrong.  I found the .iso file in my downloads folder and attempted to delete it but I couldn't since system said it was in use (oh oh!).  I rebooted my system and when it re-started, it kicked off a disk repair action that took about 2-3 minutes.  After that, I deleted the .iso file (but forgot to note it's name before I did so).

I have Windows 10.  I've run Norton 360 and Malwarebytes Quick Scan several times and nothing was found. Now I'm running the custom scan for the second time.  No issues detected in rootkits, memory, startup item or registry. BUT last scan of file system (C: Drive) is still going after 42 hours with 0 Detection.

Any feedback on what I would see if the .iso file had infected my system, please?

Link to post
Share on other sites

If scan is still running, then Close the app ( Cancel /exit out). Then Restart Windows and let the system settle in. Next to do. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

NEXT, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

  • Solution

Thanks. Let's check your system with another ( different ) antivirus scan tool.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

  • How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

  • How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

  • How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
Link to post
Share on other sites

Bravo! Most excellent result from Kaspersky KVRT tool. :D I would recommend getting a readout report as to update status of some key apps.

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

I believe that this system is good to go. 

:D This is the all clear for this case. This next tool is to cleanup the tools we used during this case. What follows is just a tools cleanup. It will also delete Securitycheck

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.