Wirth Posted May 18, 2022 ID:1516108 Share Posted May 18, 2022 Hello, I've been infected with the XR.exe virus I have tried several virus scanners to remove the virus but nothing works, please reply if you can help. It's been 3+ days since the virus has appeared Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516112 Share Posted May 18, 2022 (edited) Hi. My name is Maurice. I will guide you. Start Malwarebytes. Click Settings ( gear ) icon. Click the Security Tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Now click on the GENERAL tab Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Next, the Malwarebytes scan. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Edited May 18, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516128 Share Posted May 18, 2022 Thank you, what should I do if this re-appears? Also can you give me some tips to avoid this again? logs.txt Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516129 Share Posted May 18, 2022 3 minutes ago, Wirth said: Thank you, what should I do if this re-appears? Also can you give me some tips to avoid this again? logs.txt 5.54 kB · 0 downloads Nevermind, It reappeared again.. Help.. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516132 Share Posted May 18, 2022 I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. The last run of Malwarebytes has removed some components of the pest. I need more information from this machine. Close as many other apps as you can before running this report. I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516134 Share Posted May 18, 2022 if this is helpful, When I turned on DISCORD, the trojan was detected again. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516136 Share Posted May 18, 2022 As I said, be sure to EXIT Discord, and keep it off. Use Task Manager, find Discord and select it, and select End Process. You may even Uninstall Discord. I will have a special custom run soon. 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516138 Share Posted May 18, 2022 no no no you misunderstood me, that was after the scan and before the gather log, I already closed discord before the log gather Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516147 Share Posted May 18, 2022 This custom script is for Wirth only / for this machine only. Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. We will use FRSTENGLISH on the Downloads folder to run a custom script. The system will be rebooted after the script has run. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. You will see a green progress bar start. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. There will be more to do. 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516149 Share Posted May 18, 2022 Erm Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516153 Share Posted May 18, 2022 I can't download the file, all my other anti-viruses are down already. Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516155 Share Posted May 18, 2022 Please help me, I can't download it. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516156 Share Posted May 18, 2022 Fixlist.txt Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Here is the file again. Try using a different browser than the one used last time. Use the EDGE browser. Take your mouse pointer, do a RIGHT-click on the attached file above, and select SAVE as & direct it to your Downloads folder and see to it that it is saved just AS-IS with name FIXLIST.txt 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516157 Share Posted May 18, 2022 IF you still have no success to get the Fixlist attachment, then Uninstall these programs AVG AntiVirus FREE GridinSoft Anti-Malware SpyHunter 5 McAfee Security Scan Plus and if you do not have a current paid license for this McAfee LiveSafe, then Uninstall that as well. After that, do my last suggested custom fix run. 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516159 Share Posted May 18, 2022 I have completed all steps given, here is the fixlog Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516163 Share Posted May 18, 2022 (edited) Thank you. One quick followup. First DELETE the prior saved Fixlist.txt that we saved on Downloads folder This custom script is for Wirth only / for this machine only. Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. We will use FRSTENGLISH on the Downloads folder to run a custom script. The system will be rebooted after the script has run. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. You will see a green progress bar start. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. There will be more to do. Edited May 18, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516164 Share Posted May 18, 2022 Completed Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516165 Share Posted May 18, 2022 Thanks. Next, 2 tasks. Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. [ NEXT ] Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occured and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516166 Share Posted May 18, 2022 It is 1am on my end, can I leave it running overnight and wake up tommorow and continue? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 18, 2022 ID:1516169 Share Posted May 18, 2022 yes, sure 1 Link to post Share on other sites More sharing options...
Wirth Posted May 18, 2022 Author ID:1516170 Share Posted May 18, 2022 Attached is the Clean Log, ESET To Be Completed AdwCleaner[C00].txt 1 Link to post Share on other sites More sharing options...
Wirth Posted May 19, 2022 Author ID:1516234 Share Posted May 19, 2022 Good morning maurice, Attached is the ESET logs, I have school in 30 mins so I'll not be able to respond esetlogs.txt Link to post Share on other sites More sharing options...
Wirth Posted May 19, 2022 Author ID:1516253 Share Posted May 19, 2022 Is it advised to be using discord on this stage of the cleansing? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 19, 2022 ID:1516270 Share Posted May 19, 2022 (edited) Stay out of Discord as much as possible. We need to a new scan. The ESET had found the trojan, the same trojan as the original. Start Malwarebytes. Click Settings ( gear ) icon. Click the Security Tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Now click on the GENERAL tab Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Next, the Malwarebytes scan. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply.See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Edited May 19, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
Wirth Posted May 19, 2022 Author ID:1516278 Share Posted May 19, 2022 Attached Scan Logs for Malwarebytes Scan Logs.txt Link to post Share on other sites More sharing options...
Recommended Posts