Jump to content

Virus which blocks me from accesing AntiVirus Sites and more.. (Trojan)


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hey, I recently realised my pc started making more noise than usual, turns out my pc was going slower due to my cpu, i tried to install an antivirus and i realised it wasn't letting me access the websites, showing me the error ''ERR_ADDRESS_INVALID''.  I did my research and what I did was:

 

  1. Boot safe mode on my computer
  2. Somehow manage to install Malwarebytes and do a scan
  3. Quarantine and delete all malware, viruses etc..

However, I keep getting pop ups every 5 seconds about how a trojan has been blocked. These are the pop ups i keep getting.

 

Please, someone help me how to fix this.. 😢

image_2022-10-28_024334787.png

image_2022-10-28_024359187.png

Link to post
Share on other sites

Hello @PapiSamir and :welcome::

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run one or more of its following procedural steps, please carefully follow the instructions within the following:

I'm infected - What do I do now?

Remember, please be certain to attach (not Copy and Paste) the three (3) resulting report files in your next reply to this topic.

Thank you.

  • Like 1
Link to post
Share on other sites

replying to @1PW


I have left both files that you get from FRST64 below however i was not able to access my logs, as Malwarebytes is saying theres no reports on my scan , even with the ones ive done with no results. On the other hand, my detection history is plagued with both of the errors.

 

FRST64 FILES

FRST.txt

Addition.txt

 

Malwarebytes detection history:

error 1.txt

error 2.txt

 

Let me know if you need anything else, thank you.

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide

This machine has a very serious infection.

Next, please try to reset the HOSTS file like outlined here https://www.tenforums.com/tutorials/140970-reset-hosts-file-back-default-windows.html

In any event, keep going and do this:

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.

There is much, much more to do even after this. Do not do any un-needed web-surfing. Only go to this forum & the websites I guide you to for tools.

Link to post
Share on other sites

Here is the ZIP file that has the MBAR exe file.  You will need to unzip ( EXTRACT) the content and SAVE to your Downloads folder or the Desktop. Then run it like I outlined before.mbar-1.10.3.1001-nr.zip

Edited by Maurice Naggar
Link to post
Share on other sites

Microsoft Defender antivirus had very recently warned of at least 2 malwares !

Name: Trojan:Win32/Redline.GUA!MTB
Severity: Severe
Category: Trojan
Path: containerfile:_C:\Users\FiercePC\Downloads\0xcrack.zip ;

Be real sure that ZIP file is no longer present

Name: PUADlManager:Win32/OfferCore
Severity: Low
Category: Potentially Unwanted Software
Path: file:_C:\Users\FiercePC\OneDrive\Desktop\Desktop\CheatEngine74.exe[/b] ;

Be sure that that too is no longer present.  There is much much more to do & cleanup.  Even after this.

  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall all hack / crack / stolen / pirated apps now, if any are here, at this point !!!
Link to post
Share on other sites

I have 2 replies preceding this one. When you are ready & Caught up & have lots of quiet time. Do this.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRSTENGLISH.exe  on the Downloads folder to run a custom fix script.    The system will be rebooted after the script has run. The main goal here is to remove a malware that is blocking access to many security sites. It is a serious infection. This is intended to do some system checks using System File Checker ( SFC ) & the Windows' DISM check tool and a quick scan with MS Defender. It will also rebuild the Winsock. It will clear the cache temporary files of the web browsers.

This custom script is for  Papisamir  machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt  <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. There is more to do after this.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

Link to post
Share on other sites

@PapiSamir I urge you to continue forward and do the custom-fix plus the scan I listed before at this link 

That is intended to remove the serious infection plus other cleanups.  Pkus also doing the new Malwarebytes special scan. Please do not delay.

Link to post
Share on other sites

Windows Resource Protection found corrupt files and successfully repaired them.
The custom-fix-script run is extremely helpful and a success. For one thing, the trojan malware associated to a task was removed. 
We do have more work to do though. We will do more even after this here.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites

The MS Safety scanner did not really find any new malware. It only snagged & removed the malware that was already isolated & was in quarantine, too.

This is actually a re-assuring result.

We need to do some other scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

  • Solution

Very fortunate cleanups by ESET. It included cleanup of a variant of Win64/CoinMiner.RD plus also some "torrents". Please do not use "torrents" while this case is on-going.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add -dontcrypt 
Note the space between KVRT.exe and -dontencrypt

C:\Users\FiercePC\DESKTOP\KVRT.exe -dontcrypt should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.

user posted image

The Windows Protected your PC window will open, select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image
 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20221028_103821.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply.
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.