Jump to content

Help with trojan - I'm getting lots of messages for a website


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello @perdrix 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Beyond the reports mentioned above......Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Do this as a next action at this point: Clear / Delete all Cache & Temporary files on all web browsers, PLUS, do one Windows RESTART so that machine is into a fresh restart. 

I simply would like to offer some remarks about Chrome & web browsers & Windows.

As to Chrome, insure it is the latest release from Chrome
https://support.google.com/chrome/answer/95414?
On some periodic basis, suggest to delete all Cache content on Chrome for "all time" period. That will help keep Chrome running more snappy.
open Chrome.
At the top right, click More .
Click More tools and then Clear browsing data.
Choose the time range All time.
Select the types of information that you want to remove.
Click Clear data.

By the way, the same principle applies to the Edge browser in Windows 11 / 10. Clearing all cache helps.

The section for EDGE browser how-to https://forums.malwarebytes.com/topic/286888-few-malwares-were-failed-to-removed/?do=findComment&comment=1517006

Link to post
Share on other sites

After the actions listed above, let's get going with these additional action.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions

( 2 )

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

( 3 )

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time, But do read all of this write-up first so that you fully understand the concept of this special run.

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.
Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.

Take your time and go careful. There are some preliminary selections to be set ....before pressing any 'scan' button.

When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status

Delete IFEO keys
Delete tracing keys
Delete Prefecth files
Reset Proxy
Reset IE Policies
Reset Chrome policies
Reset Winsock

Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan.

This can take several minutes.
When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found.

AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean. 
Click on the “Continue” button to finish the removal process.

Guide article

Attach the clean log from Adwcleaner when all completed.

Link to post
Share on other sites

  • 2 weeks later...

This last posting you made -did- work. I cannot tell what exactly you saw or what. Can you provide more detail ?

and perhaps / maybe you just need ( if possible) to use a different web browser. BUT you did make a one line post just maybe 3 hours ago.

Link to post
Share on other sites

OK It's now letting my posts in!  I can't remember exactly but AdwCleaner didn't find anything of interest, but malwarebytes continued blocking BitTorrent, so I turned off the "trial" of the non-free stuff.

If the detection was genuine, is there an alternative torrent client that MWB won't dislike.

Thanks, David

Link to post
Share on other sites

Here's the AdwCleaner log:

# -------------------------------
# Malwarebytes AdwCleaner 8.4.0.0
# -------------------------------
# Build:    08-30-2022
# Database: 2022-10-10.1 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start:    11-28-2022
# Duration: 00:00:10
# OS:       Windows 11 (Build 22621.819)
# Scanned:  32070
# Detected: 21


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

Adware.Agent.Proxy              HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{0C96E9FC-BFCA-4191-8CEC-93CDA6CB91C0}C:\program files (x86)\sharpcap 4.0\sharpcap.exe
Adware.Agent.Proxy              HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{E5D705D3-9965-4D3D-AAB6-F698CD383EA1}C:\program files (x86)\sharpcap 3.2\sharpcap.exe
Adware.Agent.Proxy              HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{E1F3544A-7349-473B-8D67-430E033D8855}C:\program files (x86)\sharpcap 3.2\sharpcap.exe
Adware.Agent.Proxy              HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{F5BB7809-0BA4-4721-A0A1-62CEC32C34C3}C:\program files (x86)\sharpcap 4.0\sharpcap.exe
PUP.Optional.AdvancedSystemCare HKLM\Software\Wow6432Node\IOBIT\ASC
PUP.Optional.AdvancedSystemCare HKLM\Software\Wow6432Node\IObit\Advanced SystemCare
PUP.Optional.AdvancedSystemCare HKLM\Software\Wow6432Node\IObit\RealTimeProtector
PUP.Optional.WebCompanion       HKLM\Software\Wow6432Node\Lavasoft\Web Companion

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.DellDataProtection   Registry   HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|CSFTrayApp
Preinstalled.DellDataProtection   Registry   HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0C11FE22-53F2-4C9B-9E79-824B10D0976E}
Preinstalled.DellSupportAssistAgent   Folder   C:\Program Files\DELL\SAREMEDIATION\AUDIT
Preinstalled.DellSupportAssistAgent   Folder   C:\Program Files\DELL\SAREMEDIATION\PLUGIN
Preinstalled.DellSupportAssistAgent   Folder   C:\Program Files\DELL\SUPPORTASSISTAGENT
Preinstalled.DellSupportAssistAgent   Folder   C:\ProgramData\DELL\SUPPORTASSIST
Preinstalled.DellSupportAssistAgent   Folder   C:\Users\amonra\Documents\DELL\SUPPORTASSIST
Preinstalled.DellSupportAssistAgent   Registry   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5C594468-36F5-4C05-9BF1-DF9DDBA09BF3}  
Preinstalled.DellSupportAssistAgent   Registry   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5C594468-36F5-4C05-9BF1-DF9DDBA09BF3}  
Preinstalled.DellSupportAssistAgent   Registry   HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Dell SupportAssistAgent AutoUpdate
Preinstalled.DellSupportAssistAgent   Task   C:\Windows\System32\Tasks\DELL SUPPORTASSISTAGENT AUTOUPDATE
Preinstalled.DellUpdateforWindows10   Folder   C:\Program Files (x86)\DELL\UPDATESERVICE
Preinstalled.DellUpdateforWindows10   Folder   C:\ProgramData\DELL\UPDATESERVICE


AdwCleaner_Debug.log - [16992 octets] - [17/11/2022 16:02:22]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

I don't see anything there' that looks "dodgy"

D.

Link to post
Share on other sites

The Adwcleaner did a good cleanup. It found adwares , plus a P U P.

This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on Edge & Chrome & Firefox. To rebuild the Winsock. To attempt to check the system with Microsoft Defender antivirus.

This is not a cure-all. Rather, it is meant as general check & cleanup.

This custom script is for  Perdrix  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads\Farbar   folder

 <<< - - - - -

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the Downloads\Farbar folder  { C:\Users\amonra\Downloads\FarBar }    to run a custom script .    The system will be rebooted after the script has run. 

Start the Windows Explorer and then, go  to the Downloads\Farbar    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. 

Please only attach logs, reports as we go along.

Edited by Maurice Naggar
Fixlist script attached
Link to post
Share on other sites

Hi Perdrix. I am so, so terribly sorry. I have now attached the Fixlist into the reply. Please do as listed in my prior post https://forums.malwarebytes.com/topic/292029-help-with-trojan-im-getting-lots-of-messages-for-a-website/?do=findComment&comment=1543725

My apologies.

Link to post
Share on other sites

That's odd I thought I had posted a question about the way that script uses MS Defender - will it allow me to overrule the removal of what it considers to be malware - some stuff I use has been ID'd as malware by Defender even though I know and trust the code in question.

Link to post
Share on other sites

  • Solution

No there is not a ability to "override" what MS Defender detects. So what I have here, is removed scanning with the antivirus. This script will not do a scan with Defender. It will do the other checks. I recommend you go forward with this. 

This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on Edge & Chrome & Firefox. To rebuild the Winsock. 

This is not a cure-all. Rather, it is meant as general check & cleanup.

This custom script is for  Perdrix  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads\Farbar   folder

Fixlist.txt <<< - - - - -

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the Downloads\Farbar folder    to run a custom script .    The system will be rebooted after the script has run. 

Start the Windows Explorer and then, go  to the Downloads\Farbar    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. 

Please only attach logs, reports as we go along.

Edited by Maurice Naggar
Link to post
Share on other sites

Windows System File Checker made corrections. Windows Resource Protection found corrupt files and successfully repaired them.
The custom run is a good one. I am especially happy to see it removed a restriction for Windows Update.

WHEN you get some quiet time .....
I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

Link to post
Share on other sites

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads\Farbar folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

 

Adwcleaner you may keep and use as needed.
Any other download file I had you download, you may delete.


Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.