SwitchRatchet Posted October 28, 2022 ID:1539626 Share Posted October 28, 2022 Hello again, So my PC has been dogging ever since I installed a new mining software that had just come out, My IT senses were tingling and I just had to try it to find out what mining was like; my mistake. Luckily It was on as lab computer and not sensitive info is on it. Ran Malware bytes (Frree) and it popped up with 5 different malware items...and I know the installation file had some sort of chipset binding, was a red flag but to late to stop after installation had started. The name of the software is called Kryptex. I notice it most when using any application that is not a system program like explorer or powershell etc. The malwarebytes scan came back with 4 trojans and a riskware malware programs. Any help is appreciated as always I feel like Im your best and worst customer Addition.txt FRST.txt Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 28, 2022 Author ID:1539633 Share Posted October 28, 2022 (edited) Sorry for not including the MWB scan file, i could not find the export button. @1PW was kind enough to help me out. I have the log file attached below. 102622SWRCHTMWBSCN.txt Edited October 28, 2022 by SwitchRatchet Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2022 ID:1539653 Share Posted October 28, 2022 Hello I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 28, 2022 Author ID:1539681 Share Posted October 28, 2022 Hello and thank you! Here is the requested file. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2022 ID:1539710 Share Posted October 28, 2022 Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Select View → Show → File name extensions Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes scan. Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 😉 Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 28, 2022 Author ID:1539718 Share Posted October 28, 2022 (edited) scan was clean. Thank you, MWBSC2SWRCHT.txt Edited October 28, 2022 by SwitchRatchet Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2022 ID:1539725 Share Posted October 28, 2022 (edited) Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop. Next, Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontcryptsupportinfo Note the space between KVRT.exe and -dontencryptC:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo should now show in the Run box. That addendum to the run command is very important. To start the scan select OK in the "Run" box. The Windows Protected your PC window will open, select "More Info" A new Window will open, select "Run anyway" A EULA window will open, tick both confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure the following boxes are ticked: System memory Startup objects Boot sectors System drive Then select "OK" and „Start scan“. The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue". Usually, your system needs a reboot to finish the removal process. Logfiles can be found on your systemdrive (usually C: ), similar like this: Reports are saved here C:\KVRT_data\Reports and look similar to this report_20221028_103821.klr Right click direct onto those reports, select > open with > Notepad. Save the files and attach them with your next reply. Edited October 28, 2022 by Maurice Naggar added note Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 28, 2022 Author ID:1539728 Share Posted October 28, 2022 I added the command line like you said but it came up with a command help prompt window...i assume they updated the command to simply " -dontencrypt",,,so i swapped that in for the command you gave me and continued the process. The scan is running now. Will update when the scan is complete. Thank you again. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 28, 2022 ID:1539731 Share Posted October 28, 2022 Thank you. Cheers. 1 Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 28, 2022 Author ID:1539736 Share Posted October 28, 2022 Kaspersky did find and "neutralize" 3 instances of malware. I use quotes because my computer did not restart, and I think that is what it means when it is deleted. Report .txt attached below. KSPRKYSCN1026SWRCHT.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 29, 2022 ID:1539744 Share Posted October 29, 2022 @SwitchRatchet When you are ready & have lots of quiet time. Do this. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRSTENGLISH.exe on the Downloads folder to run a custom fix script. The system will be rebooted after the script has run. This is intended to do some system checks using System File Checker ( SFC ) & the Windows' DISM check tool and a quick scan with MS Defender. It will also rebuild the Winsock. It will clear the cache temporary files of the web browsers. This should get rid of all traces of "Kryptex" !!! This custom script is for SwitchRacket machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 29, 2022 Author ID:1539749 Share Posted October 29, 2022 can you attach the link for FRST? Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 29, 2022 ID:1539751 Share Posted October 29, 2022 The tool FRSTENGLISH is on your system / on the Downloads folder / C:\Users\Simon\Downloads\FRSTEnglish.exe It is maybe the case you need to sort your view on File Explorer to sort the view sequence by Name. But if you look real close, you should see the file is there. Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 29, 2022 Author ID:1539752 Share Posted October 29, 2022 Oh, you are correct! Sorry about that. Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 29, 2022 Author ID:1539754 Share Posted October 29, 2022 OK I think I did it correctly. Fixlog.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted October 29, 2022 Solution ID:1539805 Share Posted October 29, 2022 Windows Resource Protection found corrupt files and successfully repaired them.The KRYPTEX malware had so many EXE files. And it had placed all of its EXE files as "exclusions" from the protection of MS Defender. That is a hallmark of a nasty malware. The exclusions have been removed. But we need a new run to insure its old container folders are now all gone. This next will be a very quick run. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRSTENGLISH.exe on the Downloads folder to run a custom fix script. The system will be rebooted after the script has run. This custom script is for SwitchRacket machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 29, 2022 Author ID:1539807 Share Posted October 29, 2022 Wow, that is so upsetting. I guess curiosity killed the cat here. Thank you AGAIN! The fix log is attached below. Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 29, 2022 ID:1539822 Share Posted October 29, 2022 Thank you. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 29, 2022 Author ID:1539826 Share Posted October 29, 2022 No PUPs found! msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 29, 2022 ID:1539830 Share Posted October 29, 2022 Very, very good. Quote Results Summary: ---------------- No infection found. Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Sat Oct 29 13:16:16 2022 I would suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start button, and then go to Settings > Update & Security > Windows Update . and click Check for Updates. Have much patience. [ 2 ] I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 29, 2022 Author ID:1539840 Share Posted October 29, 2022 Hoping everything is perfect... SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 29, 2022 ID:1539844 Share Posted October 29, 2022 Excellent. Very good. Follow the advice previously relayed. I am marking the case for closure. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. SAFETY TIPS: Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine. Don't remove ( or change ) your current login. Just use the new Standard-user-level one for everyday use while on the internet. Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 29, 2022 ID:1539845 Share Posted October 29, 2022 This here is for tools cleanup. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log may open in Notepad titled kprm-(date).txt. I do not need it. Just close Notepad if it shows up. Delete mb-support-1.8.7.918.exe Delete mbst-grab-results.zip on the Desktop I wish you well 😎 This system is good-to-go. 1 Link to post Share on other sites More sharing options...
SwitchRatchet Posted October 30, 2022 Author ID:1539868 Share Posted October 30, 2022 Thank you again Maurice. Much appreciated! kprm-20221029235228.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2022 ID:1539887 Share Posted October 30, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts