Possible Malware

[Markedwardsaundersii]

 

Good afternoon.

When I turn on my computer (windows 10) the notepad opens with the following message displayed: 

*desktop.ini - Notepad

13
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-2178

 

When I run my Bitdefender Total Security it yields a threat was blocked: Operating system executed (issue with wininit.exe) wininit.exe -> services.exe -> svchost.exe -> threat detected (alternative outcome) (see attached). 

 

When attempting to delete Heur.BZC.ERT.Boxter.75.1C8952B6 I was unable to delete the issue. (see screen shot 2)

 

Any assistance would be appreciated to clear these issues.

[Maurice Naggar]

Hello.  

 My name is Maurice. What follows is the 1st ( but very key ) first step. 

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply 😀

[Markedwardsaundersii]

Hello Maurice,

Thank you so much for your assistance. 

Please see attached.

mbst-grab-results.zip

[Maurice Naggar]

I will guide you along on looking for malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.
• This machine has a serious trojan infection. I will have a custom script for you to run soon. Meantime, do not use this machine for other purpose, until I give the all clear. Keep in mind the cleaning process will take several rounds.

[Maurice Naggar]

This custom script is for  Markedward  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
2. AFTER completion of this run,  look on the desktop for a ZIP file named with the current local date & time of this run. Please attach it also.
3. We will do more on the next round(s).  

[Markedwardsaundersii]

Hello, 28.06.2022_14.31.32.zip

 

Thank you so much for your help today.

Here are the attached files.

Fixlog.txt

[Maurice Naggar]

Alright. I have the report & the zip collection. Thank you.
Now then. Since this Windows has BitDefender, go ahead and do a full scan with it. Let me know the result.

[Markedwardsaundersii]

Greetings, 

Please see attached for the results. 

 

Thank you again!

[Markedwardsaundersii]

Attached are the results from the log.

 

[Maurice Naggar]

Thank you very much for the report. Bitdefender Total Security reported no threats present. I would like you to proceed with what follows.
[ 1 ]
Do as much as possible of all the steps on this one linked-post of mine. Just keep going down the list & do as much as you can.

https://forums.malwarebytes.com/topic/280326-roshur-has-omnatuorcom-block-notice/?do=findComment&comment=1485972
[  2  ]

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

[Markedwardsaundersii]

Greetings,

Please see attached for the malware bytes report.

Thank you :D

 

malwarebytes report 6-29-22.txt

[Maurice Naggar]

That is a excellent result-report from Malwarebytes. YAY. 

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

• Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
• Right click on Quarantine > Send to > Compressed (zipped) folder
• Upload the archive in your next reply
• If archive is too big you can upload here > https://wetransfer.com/

Also, Let me know how the situation is at this point on Windows.

Thank you!

[Markedwardsaundersii]

Greetings,

Please see attached. 

Do you mind providing information on what the cause of this was or if I should delete this folder?

Thank you!

Quarantine.zip

[Maurice Naggar]

Quick note: Do not delete any thing on your own. I will be guiding you on the cleanups of tools we used.

[Maurice Naggar]

I am having to do multiple posts. You asked essentially "how" or "what" was the source of original problem. Answer: I cannot know that. I can just only speculate and ask some questions of you.
Prior to the first appearance of a problem, Did you accept or open a file or attachment from any source? Like maybe from a Email or from something passed thru a instant-message app ?
Did you go and download some "free"-type application or game modification that was too good to pass up?

What can help to prevent infections are (1) having Malwarebytes Premium as a real-time protection AND ( 2) observing computer-safety practices every single day & every single session using the computer. Listed below.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). That is first golden principle. Do not be mindlessly quick with the "click finger". 🤔

Free games & free programs are like "candy". We do not accept them from "strangers". Never ever get or use hacked/cracked apps or games.

Never open attachments that come with unexpected ( out of the blue ) email or "instant message" no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.

Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

[Maurice Naggar]

This here is for tools cleanup. 

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

Delete mb-support-1.8.7.918.exe on Downloads folder
Delete mbst-grab-results.zip on the Desktop.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

I wish you all the best.

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you