Infected!

[ThePinus]

Hi, need help to remove hijack.

I'm attaching malwarebytes and FRST logs.

 

malwarebyteslog.txt Addition.txt FRST.txt

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

 

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide

 

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes sca

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time, But do read all of this write-up first so that you fully understand the concept of this special run.

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.
Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.

Take your time and go careful. There are some preliminary selections to be set ....before pressing any 'scan' button.

When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status

Delete IFEO keys
Delete tracing keys
Delete Prefecth files
Reset Proxy
Reset IE Policies
Reset Chrome policies
Reset Winsock

Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan.

This can take several minutes.
When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found.

AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean. 
Click on the “Continue” button to finish the removal process.

Guide article

Attach the clean log from Adwcleaner when all completed.

[ThePinus]

Hi, thanks for reply.

Here I'm attaching the logs from both MalwareBytes and AdwCleaner as requested.

I restarted after AdwCleaner scan because it seemed to be mandatory than, after restart, I saved the clean logs.

malwareBytesScanReport.txt adwCleanerLogs.txt

[ThePinus]

I did not restart the PC after malwarebytes scan even if I was asked to do that after clicking the quarantine button

[Maurice Naggar]

Those are good cleanups.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

 

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.

Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.

We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

 

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. 

[ThePinus]

Here we are.

msert.log

[Maurice Naggar]

The MS Safety Scanner found & removed some threats. There is 1 RAR file that you need to be sure is removed. If you find it still present, then delete it

C:\Users\casto\Documents\MEGAsync Downloads\Ableton Live Suite 10.0.6 Multilingual.rar

I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever.
Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/

Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

DON'T FALL FOR THE MONEY-SAVING LURE OF CRACKED SOFTWARE
https://scambusters.org/crackedsoftware.html

 

We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[ThePinus]

Hello, this is the result from eset scan.

esetScanLog.txt

[Maurice Naggar]

That removed an adware & several unwanted-type "torrent" applications. What follows is a scan with another security tool. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



"%userprofile%\DESKTOP\KVRT.exe" will now show in the run box.



add 

-dontencrypt

 Note the space between KVRT.exe and -dontencrypt

%userprofile%\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window will open, select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20221126_103821.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply

[ThePinus]

Hi,

I think we are done, found that annoying trojan (proxygen) on system memory and fixed with kaspersky tool.

Thanks a lot for your support. I wait for an answer if any other step is required to consider my PC safe.

report_2022.11.27_19.00.30.txt

[Maurice Naggar]

Hello @ThePinus

There were a handful of threats that Kaspersky KVRT apparently could not remove. We need to do a follow-on cleanup. 

This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on Edge & Chrome & Firefox. To rebuild the Winsock. To attempt to check the system with Microsoft Defender antivirus. It will also do other cleanups, like a rogue scheduled task & a hijacker.

This is not a cure-all. Rather, it is meant as general check & cleanup.

This custom script is for  Thepinus machine  only / for this machine only.

• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt <<< - - - - -

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the Downloads folder    to run a custom script .    The system will be rebooted after the script has run. 

Start the Windows Explorer and then, go  to the Downloads    folder.

RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

•    If the tool warns you the version is outdated, please download and run the updated version.
• IF Windows prompts you about running this, select YES to allow it to proceed.
• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. 

Edited November 28, 2022 by Maurice Naggar

[ThePinus]

Hi, Maurice. I manually removed C:\Users\casto\Desktop\CUBASE PRO 10.5 Pro\2.Soft-eLicenser bundle b15.exe before.

Here's Fixlog, as requested.

Thanks.

Fixlog_28-11-2022 09.11.17.txt

[Maurice Naggar]

Windows Resource Protection found corrupt files and successfully repaired them.

 

[   Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[ThePinus]

Good morning / evening,

that's the scan result.

[ThePinus]

Also I've found these files as allowed threats. What can I do?

[ThePinus]

In allowed threat section (2nd screenshot) there's a clickable button "dont't allow" when I expand every single item.

[Maurice Naggar]

@ThePinus

Look on the Downloads folder. If you see MSERT.exe go ahead and delete it. You should do a new download.

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan .

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

 

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.

Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.

We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

 

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. 

[ThePinus]

Hi, very good news.

msert.log

[Maurice Naggar]

Results Summary:
----------------
No infection found.

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save t

he tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

and

Tell me, do you need some other help at this point ?

[ThePinus]

Hi, Maurice.

appreciated your support and patience, can consider the case closed.

Have a great time!

SecurityCheck.txt

[Maurice Naggar]

with Malwarebytes for Windows.
Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Here are all the other applications that need your attention & follow-up:

Git v.2.36.0  Warning! Download Update

Oracle VM VirtualBox 6.1.34 v.6.1.34  Warning! Download Update

Node.js v.16.16.0   Warning! Download Update

7-Zip 19.00 (x64) v.19.00   Warning! Download Update
  
Discord v.1.0.9004  Warning! Download Update

Slack v.4.26.2  Warning! Download Update

WhatsApp v.2.2236.10  Warning! Download Update

Zoom v.5.12.2 (9281)  Warning! Download Update

I am glad to have worked with you.

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete msert.exe
Delete esetonlinescanner.exe
Delete KVRT.exe
Delete Securitycheck.exe

Any other download file I had you download, you may delete.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you