YoungStarDC Posted June 27, 2022 ID:1522385 Share Posted June 27, 2022 Hi, Since today, I've been constantly getting a pop up from MB that it has blocked a Trojan/Riskware from WMAIL-ENDPOINT/CHAT. A scan full scan has yielded no results. Any help would be greatly appreciated! Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 27, 2022 ID:1522391 Share Posted June 27, 2022 Hi @YoungStarDC My name is Maurice. What follows is the 1st ( but very key ) first step. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply 😀 Link to post Share on other sites More sharing options...
YoungStarDC Posted June 27, 2022 Author ID:1522395 Share Posted June 27, 2022 Hi @Maurice Naggar, thank you for your quick reply! Please find the requested archive attached to this message. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 28, 2022 ID:1522408 Share Posted June 28, 2022 I would like for us to get copies of 2 files that seem to be connected to the scheduled task that is at the root of main issue. This is just to collect copies, to get them into a zip file; plus to arrange to have this type of task to be logged by Windows. This is like a first step. This custom script is for YoungStarDC only / for this machine only. Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . We will use FRSTENGLISH on the Downloads folder to run a custom script. The system will be rebooted after the script has run. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. AFTER completion of this run, look on the desktop for a ZIP file named with the current local date & time of this run. Please attach it also. The Malwarebytes block notices do mean that it is protecting your system. We will do more on the next round. Thank you. Link to post Share on other sites More sharing options...
YoungStarDC Posted June 28, 2022 Author ID:1522411 Share Posted June 28, 2022 Please find the two requested files attached. 28.06.2022_02.35.50.zip Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 28, 2022 ID:1522412 Share Posted June 28, 2022 Thank you. There is a trojan script here. The best classification I have found is the one by CheckPoint. They classify as Trojan.Multi.GenAutorunTaskFile.a What follows below is a next step. There will still be more to do after this. First Delete the prior Fixlist.txt on Downloads folder ( the one from before ). This custom script is for YoungStarDC only / for this machine only. Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . We will use FRSTENGLISH on the Downloads folder to run a custom script. The system will be rebooted after the script has run. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Link to post Share on other sites More sharing options...
YoungStarDC Posted June 28, 2022 Author ID:1522416 Share Posted June 28, 2022 Please find it attached. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 28, 2022 ID:1522432 Share Posted June 28, 2022 Please do one new Scan with Malwarebytes. Let me know that result. Also, let me know whether the Block notices have ceased, Link to post Share on other sites More sharing options...
YoungStarDC Posted June 28, 2022 Author ID:1522484 Share Posted June 28, 2022 Hi Maurice, I've stopped getting the notices and a full scan with Malwarebytes says 0 detections. It seems to be solved, thank you so much! Do you have any idea how I got this trojan? It seemed quite random. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 28, 2022 ID:1522509 Share Posted June 28, 2022 Hello. Glad to hear the good news. How does this type of pest happen: My experience in other cases of this type of trojan, over a span of some 2 months, is that a download of a "game mod" of a game or perhaps a download of hacked app is what starts the cascade of infection. Otherwise, the other possibilities are the accepting & opening an Email attachment. * [ Do a custom scan with Microsoft Defender Antivirus ] Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. On the next display, look at all the options. Look down the list and see "Check for Updates" . You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete. Please also note that the Scan options (all) can be displayed by clicking on Scan options. Click that & select CUSTOM scan & then pick the C drive & have it go forward. Once it has started the scan phase, you can go take a long break. Let me know the results. Link to post Share on other sites More sharing options...
YoungStarDC Posted June 28, 2022 Author ID:1522534 Share Posted June 28, 2022 The scan turned out clean, 0 threats found. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 28, 2022 ID:1522560 Share Posted June 28, 2022 Good. Well worth it to do a different check. This will be a check with ESET Onlinescanner for potential viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occured and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
YoungStarDC Posted June 29, 2022 Author ID:1522677 Share Posted June 29, 2022 It took a long while but here we have it! ESET scan log 29-06-22.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted June 29, 2022 Solution ID:1522678 Share Posted June 29, 2022 Hi. That ESET Onlinescan is well worth the time and effort. It has confirmed the removal of 2 previously-removed trojans. VBS/Runner.NWJ trojan & PowerShell/Agent.AIX trojan. Further, it also removed javascript trojans, plus several hacktool elements. Let's check your system with another ( different ) antivirus scan tool. Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop. (Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021) Download: Kaspersky Virus Removal Tool How to run a scan with Kaspersky Virus Removal Tool 2020 https://support.kaspersky.com/15674 How to run Kaspersky Virus Removal Tool 2020 in the advanced mode https://support.kaspersky.com/15680 How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan https://support.kaspersky.com/15681 Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencryptC:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Sincerely. Link to post Share on other sites More sharing options...
YoungStarDC Posted June 29, 2022 Author ID:1522742 Share Posted June 29, 2022 Hi Maurice, please find the log attached. report_2022.06.29_15.55.16.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 30, 2022 ID:1522857 Share Posted June 30, 2022 That scan was well worth doing. Question: Please advise whether any new Block notices have occurred about "wmail" ? and # 2 I would recommend getting a report on the update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
YoungStarDC Posted June 30, 2022 Author ID:1522879 Share Posted June 30, 2022 Hi Maurice, SecurityCheck.txtno more warnings. Please find the check attached. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 30, 2022 ID:1522887 Share Posted June 30, 2022 (edited) It is great to hear that the pest is gone. 🖕 💢 What follows is what is highlighted by SecurityCheck as needing your follow-up actions. This will help get the system more secure. Git version 2.27.0 v.2.27.0 Warning! Download Update VMware Workstation v.15.5.2 Warning! Download Update Microsoft Visual Studio Code v.1.59.0 Warning! Download Update FileZilla Client 3.57.0 v.3.57.0 Warning! Download Update GitHub Desktop v.2.8.3 Warning! Download Update Python 3.9.4 (64-bit) v.3.9.4150.0 Warning! Download Update TeamViewer v.15.20.3 Warning! Download Update 7-Zip 19.00 (x64) v.19.00 Warning! Download UpdateUninstall old version and install new one. WinRAR 5.90 (64-bit) v.5.90.0 Warning! Download Update IrfanView 4.58 (32-bit) v.4.58 Warning! Download Update Discord v.1.0.9002 Warning! Download Update Microsoft Teams v.1.4.00.11161 Warning! Download Update WhatsApp v.2.2218.8 Warning! Download Update Telegram Desktop version 3.7 v.3.7 Warning! Download Update mIRC v.7.65 Warning! Download Update Java 8 Update 251 (64-bit) v.8.0.2510.8 Warning! Download UpdateUninstall old version and install new one (jre-8u333-windows-x64.exe). VLC media player v.3.0.16 Warning! Download Update HandBrake 1.3.3 v.1.3.3 Warning! Download Update Mozilla Firefox (x64 en-US) v.101.0.1 Warning! Download Update CCleaner v.5.87 Warning! Ever since Piriform sold it to another entity, security pros hae ceased to endorse its use. You can use the built-into-Windows "CLEANMGR". JDownloader 2 v.2.0 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it. Bonjour v.3.1.0.1 Warning! Application is distributed through partnership programs and bundle assemblies. Uninstall Bonjour. Your system does not need it. Edited July 1, 2022 by AdvancedSetup Corrected font issue Link to post Share on other sites More sharing options...
YoungStarDC Posted July 1, 2022 Author ID:1522898 Share Posted July 1, 2022 I will definitely do that, thank you very much! Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 1, 2022 ID:1522962 Share Posted July 1, 2022 You are welcome. This here is for tools cleanup. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log may open in Notepad titled kprm-(date).txt. I do not need it. Just close Notepad if it shows up. Delete mb-support-1.8.7.918.exe on Downloads folder Delete mbst-grab-results.zip on the Desktop. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download What can help to prevent infections are (1) having Malwarebytes Premium as a real-time protection AND ( 2) observing computer-safety practices every single day & every single session using the computer. Listed below. SAFETY TIPS: Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). That is first golden principle. Do not be mindlessly quick with the "click finger". 🤔 Free games & free programs are like "candy". We do not accept them from "strangers". Never ever get or use hacked/cracked apps or games. Never open attachments that come with unexpected ( out of the blue ) email or "instant message" no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine. Don't remove ( or change ) your current login. Just use the new Standard-user-level one for everyday use while on the internet. Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" I wish you all the best. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 1, 2022 ID:1522963 Share Posted July 1, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts