Jump to content

was Trojan.VBS.TaskExecution


Go to solution Solved by Maurice Naggar,

Recommended Posts

IF you got any thing from "pirate bay" yourself then absolutely uninstall / remove it. Question after reading the MB scan report: CHEAT ENGINE 7.3 is marked as a P U P

Did you get that from the actual publisher via a purchase ?

As to the rest of that snippet, I will guide you on removing any remaining actual pests.

Link to post
Share on other sites

I got something from 1337x.to and I deleted all of it.

I got cheatengine from official website, but I don't use it I can uninstall it. 

Also I saw that powershell running that the guy above from the picture is talking about, but i don't see it anymore.

And that hidden script contains some folders like:
%localappdata%\\Google\\Chrome\\User Data\\Default\\Extensions
%localappdata%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Extensions

Here is the full script and how to remove it posted to github:
https://gist.github.com/infernoboy/cf114fda56ff3706478e0d1e6a1a1b27?permalink_comment_id=4140687#gistcomment-4140687

Link to post
Share on other sites

There is no need to go hunting on the web about the former pest. Malwarebytes program has got the major part of it removed. 

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.
*

This custom script is for  Peca21  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. 

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. It will remove the remains of the scheduled task parent folder for the job that had been used by the pest.

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
Link to post
Share on other sites

Hi. Aplogies for my last line on my prior post. That was a oversight. Anyhow, as to pinned folders, the run did not delete any of them. I think what may have happened is that the 'history' of them as far as displaying may have changed. But for sure those were not "deleted".
The overall run is good. There is one exe file that has been identified by 18 vendors ( icnluding Microsoft and Malwarebytes) that we need to delete. That is TMX.EXE
There is another exe that is a zero-byte file & we ought to delete that - -PRODUKEY.EXE

This custom script is for  Peca21  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. 

We will use FRST64  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

You will see a green progress bar start.  When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

 

Link to post
Share on other sites

Thank you. That run is fine.
Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.
It will not take much time,
First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

  • AdvancedSetup changed the title to was Trojan.VBS.TaskExecution

Hi. Thanks. That is a good run of the Adwcleaner !

Next, This will be a check with ESET Onlinescanner for potential remains of viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

I scanned with the Eset, here is the log file: scan.txt

I am not sure why is every antivirus detecting the WSCC folder when every file is clean there.

I also had a problem with windows after scan, I restarted my pc and it didn't want to boot anymore for some reason and I had to use system restore point from may 15th, so now I don't know how much cleaning progress I lost, but I am not running all this again. Defender got enabled and deleted like 15 of my programs from my computer for no reason.

I only downloaded script that checks my clipboard for BTC address then pastes its own but we've been cleaning this PC like its stealing my bank details. 

Thank you for your help @Maurice Naggar, but I am done with this, I don't have time to fix my PC, keep restoring my settings and programs that every antivirus detected as a false positive. 

Link to post
Share on other sites

I do hope that you are not entirely giving up, because I firmly believe you can benefit from another review.
Addressing the ESET log results:
ESET did find a threat in a folder of Discord ( which is well known recently to be able to be compromised and mis-used by malware).
It detected PowerShell/Agent.GZ trojan in this Discord folder  C:\Users\Zajo\AppData\Roaming\discord\Cache\f_000199
*
As to the Nirsoft exe's, those can well be false positives. But those, if you wanted, can be replaced.
*
As to Microsoft Defender antivirus, I would like to see the specifics of what exactly it removed or flagged that you believe are false.
*
This next step is simply to get a report collection. It will not make any changes. Kindly do this so I can review, and also re-check to see that the system has not got a malware threat. 

I would appreciate a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply 

 

 

Link to post
Share on other sites

Discord detection was probably a script that we removed because I sent it to my friend, but only as a text file, didn't send the exe or vbs.

The problem with defender is it's blocking like 10 apps from WSCC, and I don't know how to stop it.
It also blocked JDownloader shortcut and flashtool for flashing my phone to newest update for some reason. 
It also deleted some registry keys that I wrote also for no reason.

And I also don't know why my PC didn't boot after I ran ESET and as I said, I had to do a system restore back to may 15th, so who know which things got reset.

Here is the zip file MB SUpport gave me: 

mbst-grab-results.zip

Link to post
Share on other sites

You have listed a few different things. We need to look at one at a time. Thanks to your new report of today, I see that Malwarebytes is version 4.5.8 and I would like to get it upgraded to version 4.5.9. First, close any ongoing work programs, including any instant messenger ones, especially including Discord. Save any on-going work or edits.  Close all web browsers.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

Then click on Quarantine  button.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

Link to post
Share on other sites

After finishing the steps above ^^^^ this is the next task, mainly to see that the rogue scheduled task "netservice" is gone

This custom script is for  Peca21  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

You will see a green progress bar start.  When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited by Maurice Naggar
Link to post
Share on other sites

Yes sorry I forgot

I ran the scan again with everything closed scan.txt

Quote

[SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
"DisableBehaviorMonitoring"=-
"DisableOnAccessProtection"=-
"DisableScanOnRealtimeEnable"=-

If I see this correctly the fixlist will enable defender back and I don't want that, how can I skip it?

Link to post
Share on other sites

Hello @Peca21 I have read your last message. Use this one here.

This custom script is for  Peca21  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

You will see a green progress bar start.  When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Link to post
Share on other sites

Thank you.  I would recommend getting a report on the update status of some key apps.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

As to the items highlighted by SecurityCheck:
--------------- [ Windows ] -------------------------------
User Account Control disabled (Level 1)
^It is recommended to enable (default): Win+R typing UserAccountControlSettings and Enter^

Notepad++ (64-bit x64) v.8.3.3   Warning! Download Update

Python 3.8.10 (64-bit) v.3.8.10150.0   Warning! Download Update
FileZilla Client 3.56.2 v.3.56.2   Warning! Download Update

------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 6.02 (64-bit) v.6.02.0   Warning! Download Update
------------------------------- [ Imaging ] -------------------------------
IrfanView 4.58 (64-bit) v.4.58   Warning! Download Update

-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.1.0.9003   Warning! Download Update

---------------------------- [ ProxyAndVPNs ] -----------------------------
ProtonVPN v.1.25.0   Warning! Download Update

-------------------------------- [ Java ] ---------------------------------
Java 8 Update 311 (64-bit) v.8.0.3110.11   Warning! Download Update
Uninstall old version and install new one (jre-8u333-windows-x64.exe).

------------------------------- [ Browser ] -------------------------------
Mozilla Firefox (x64 en-US) v.100.0   Warning! Download Update

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.5.90 Warning!  Computer experts no longer recommend this program.

Winaero Tweaker v.1.33.0.0   Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it 

IObit Unlocker v.1.2.0.1   Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

JDownloader 2 v.2.0   Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.