Jump to content

Help | Skegnessasc.org Virus


Recommended Posts

Hello. 2 days ago i have installed a old game Sims 1 complete collection from a mobile  Toshiba storage on my PC.

i have scanned it before used it because its was old file, i have scanned it with avast.

short after the installtion finish. i got massage that windows cannot find "Restorefunction.exe"   after that i start to get pop-up messages from avast evrey 15-20 minutes. "Threat blocked skegnessasc.org  because it was infected with URL:Blacklist"
i tried to delete the game but i got Catastrophic failur that say installtion file are missing from windows. later i downloaded  Revo remover software ,  and with this software i sucsseded to remove the game.
i have done smart/and full scan with avast but 0 virus founded. (i dont know where to find the log.txt to post it.- will be happy for help)
i have downloaded  Anti-  Malwarebytes and have done a full scan.  so its found this thing. (i uploaded a test.txt call "Virus" to show what MalwareBytes founded.)
after that Malwarebytes asked me to restart my pc. but avast keep pop-up over 100 massages in day . (i uploaded pic to show what avast messages_

please help me!

Problem1.png

virus.txt

Link to post
Share on other sites

Hello @Aviv and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

References:

https://www.virustotal.com/gui/file/006f53120528e8cccc07a0a03d92bbfc6b76dd3e55daf529b614c511c60f35b3/detection

https://www.virustotal.com/gui/url/673f0744c8e9bb751e20c38c24b0106b15de2c6910b235e2fb5b11dfe4a2c663/detection

Above URL is currently returning a HTTP404.

Edited by 1PW
Link to post
Share on other sites

  • Root Admin

Please review the following @Aviv

 

Edge Notifications: Default -> hxxps://www.facebook.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

 

Please temporarily disable your Avast real-time protection and run the following fix.

To disable Avast Antivirus, right click the Avast icon in the notification area of your Windows taskbar and select Avast shields control. Select one of the following options:

    Disable for 10 minutes
    Disable for 1 hour
    Disable until computer is restarted

I would recommend setting it off for 1 hour

 

When it has been completed, please attach the FIXLOG.txt file.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

On 7/8/2022 at 8:31 AM, AdvancedSetup said:

Please review the following @Aviv

 

Edge Notifications: Default -> hxxps://www.facebook.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

 

Please temporarily disable your Avast real-time protection and run the following fix.

To disable Avast Antivirus, right click the Avast icon in the notification area of your Windows taskbar and select Avast shields control. Select one of the following options:

    Disable for 10 minutes
    Disable for 1 hour
    Disable until computer is restarted

I would recommend setting it off for 1 hour

 

When it has been completed, please attach the FIXLOG.txt file.

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt 16.33 kB · 3 downloads

Thanks

 

 

Hello and thank you very much for your answer and help, before im using to do and follow what you send me. i want just update that i have done restoring system to 1/7/2022. avast stop to get any massage's. but MalwareBytes. pop-up massage that is blocking thing's from time to time.

it is still fine to use it after i did restoing system? 

 

malwarebytespic.png

malwarebytespic1.png

Link to post
Share on other sites

Hello @Aviv <<pardon the intrusion>> Know that the Malwarebytes "Block" notices mean that Malwarebytes is keeping the system safe from potential harm. The potential threat was Stopped. Proceed forward and do All that AdvancedSetup had outlined for you to do. After all that is done & the system is Restarted, then look to see that Avast is back On.
NEXT, This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Like 1
Link to post
Share on other sites

2 hours ago, Maurice Naggar said:

Hello @Aviv <<pardon the intrusion>> Know that the Malwarebytes "Block" notices mean that Malwarebytes is keeping the system safe from potential harm. The potential threat was Stopped. Proceed forward and do All that AdvancedSetup had outlined for you to do. After all that is done & the system is Restarted, then look to see that Avast is back On.
NEXT, This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

Hi. and thank you for your confirmation. i have done this fix and followed what AdvancedSetup told me to do. 

here are the Fixlog.txt. ( btw Edge browser history didnt deleted by this fix as said in the guide).

and the mbst-grab-results.zip.

 

Fixlog.txt mbst-grab-results.zip

Link to post
Share on other sites

Hello @Aviv 

You do not need to click on "Quote" when you begin a reply on this forum. I am very temporarily stepping in to relay a script that hopefully should be helpful in quashing some ( if not most) of the repeating Block events. You have FRST64 on the Desktop.

Since you finished the first custom run, I need for you to now Delete the file "Fixlist.txt" currently on the Desktop.

This custom script is for  Aviv only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

We will use FRST64  on the Desktop  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Desktop   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Desktop   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

  1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
  2. Also, after you attach the log-report, Please do a new scan with Malwarebytes. 😀
Edited by Maurice Naggar
Link to post
Share on other sites

Hello. The custom script run is good, in that it cleared some cache files & also attempted to set some firewall rules with goal to help out. I am making following observation ( below). Then bowing out & asking @AdvancedSetup to resume further assistance. 

The issue ( of block notices) that started out this case were due to attempted probes from the outside.

The real-time protection of Malwarebytes for Windows is keeping the pc safe.  They will continue to do so, given that you have Malwarebytes Premium.

Here are some general conclusions & some tips.

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol.

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article
"How to Enable Your Wireless Router's Built-in Firewall"
https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

 

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/

Additionally or alternatively, if this is on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

This Windows version is a PRO edition.  IF you do not use remote desktop access to other outside machines, then I suggest you turn R D P  to Off.

The probers look for PRO or Enterprise editions as a prime potential target for exploitation.

.
Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

 

ALSO see this Malwarebytes support article
https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

Link to post
Share on other sites

First alot of thanks sir,

i have readed all your post. and i will follow it as well.

now my problem is that im wondering what to do,  currently i have paid premium avast antivirus untill 2023 . and the Malwarebytes is only Trial-Premium. and im using the Malware soft-ware just to do the scan's for the currently problem. then i close it and keep running with avast.

its make me worry that Malwarbytes now block things . and avast is quiet since the last restoring system that i have done. 

the malwarebytes web's blocks is normal things?(its not blocks offten same evrey 20 minutes like before).  so this is the same virus from before? im very curious to understand.

 

Aviv.

Quiet
Link to post
Share on other sites

for give me. how do i edit my last massage? sory for the "quiet" in the end is miss paste. 

* update

i have opened now MalwareBytes after its was close since last second custom run. and this is what im seeing. look how many block its shows from today.

 

Blocks.png

Link to post
Share on other sites

  • Root Admin

Please disable Kaspersky temporarily and run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

Link to post
Share on other sites

  • Root Admin

There is no doubt that a CLEAN install of Windows would be best, but most users push back about doing it and often want to try and clean the current computer.

If you'd like to do a clean install of Windows, then here are some links to do so. Please let me know how you'd like to proceed.

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

How to make clean install of Windows 11
https://answers.microsoft.com/en-us/windows/forum/all/how-to-make-clean-install-of-windows-11/789f6891-7261-4c40-a632-6a44e53a3e30

 

 

 

Link to post
Share on other sites

i will be morethen happy to clean my pc with out  doing a clean install of windows 10.

the reason  i just have done it for my pc 2 month ago because other problem. and finnaly this install was perfect. untill this current malware that we fight come.

im not delegate on ur last post . i have also got in and readed all the guide of Greg Carmack for clean install.

i have attach 2 picture to give example of the threats  MalwareBytes have blocked today.

there is more things we can do?

normally pc that dont have  viruse's should block so many threat's in a day just by using browser?  or games? 

thanks alot. and appricate help.

 

13.07 nots.png

report.png

Link to post
Share on other sites

  • Root Admin

That is an INBOUND block which Malwarebytes is doing its job to block it.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

Yes, an INBOUND is someone typically looking for some type of exploit so that they can gain access to your computer.

 

Please temporarily exit out of Malwarebytes, then run the following

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Then, restart the computer one more time and get me the recent following PROTECTION logs

 

 

You can find Scan and Protection logs within the Malwarebytes 4 program in the following location

 

image.png

 

RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged

 

image.png

 

If you click on the View option you should get something similar to the following with other options available.

 

image.png

 

 

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.