ThePinus Posted November 23, 2022 ID:1542975 Share Posted November 23, 2022 Hi, need help to remove hijack. I'm attaching malwarebytes and FRST logs. malwarebyteslog.txt Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 23, 2022 ID:1543002 Share Posted November 23, 2022 Hello I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article Please use this Guide Do a new scan with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes sca Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, But do read all of this write-up first so that you fully understand the concept of this special run. First download & save itguide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt. Take your time and go careful. There are some preliminary selections to be set ....before pressing any 'scan' button. When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window by clicking their button to the far-right for ON status Delete IFEO keys Delete tracing keys Delete Prefecth files Reset Proxy Reset IE Policies Reset Chrome policies Reset Winsock Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan. This can take several minutes. When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found. AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean. Click on the “Continue” button to finish the removal process. Guide article Attach the clean log from Adwcleaner when all completed. Link to post Share on other sites More sharing options...
ThePinus Posted November 24, 2022 Author ID:1543123 Share Posted November 24, 2022 Hi, thanks for reply. Here I'm attaching the logs from both MalwareBytes and AdwCleaner as requested. I restarted after AdwCleaner scan because it seemed to be mandatory than, after restart, I saved the clean logs. malwareBytesScanReport.txt adwCleanerLogs.txt Link to post Share on other sites More sharing options...
ThePinus Posted November 24, 2022 Author ID:1543124 Share Posted November 24, 2022 I did not restart the PC after malwarebytes scan even if I was asked to do that after clicking the quarantine button Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 24, 2022 ID:1543149 Share Posted November 24, 2022 Those are good cleanups. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
ThePinus Posted November 25, 2022 Author ID:1543162 Share Posted November 25, 2022 Here we are. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 25, 2022 ID:1543201 Share Posted November 25, 2022 The MS Safety Scanner found & removed some threats. There is 1 RAR file that you need to be sure is removed. If you find it still present, then delete it C:\Users\casto\Documents\MEGAsync Downloads\Ableton Live Suite 10.0.6 Multilingual.rar I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever. Hidden risks in pirated softwarehttps://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/ Why You Shouldn't Use Pirated Softwarehttps://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/ DON'T FALL FOR THE MONEY-SAVING LURE OF CRACKED SOFTWAREhttps://scambusters.org/crackedsoftware.html We need to do more scanning. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occured and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
ThePinus Posted November 26, 2022 Author ID:1543255 Share Posted November 26, 2022 Hello, this is the result from eset scan. esetScanLog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 26, 2022 ID:1543303 Share Posted November 26, 2022 That removed an adware & several unwanted-type "torrent" applications. What follows is a scan with another security tool. This with Kaspersky KVRT tool. Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop. Next, Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. "%userprofile%\DESKTOP\KVRT.exe" will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencrypt%userprofile%\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important. To start the scan select OK in the "Run" box. The Windows Protected your PC window will open, select "More Info" A new Window will open, select "Run anyway" A EULA window will open, tick both confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure the following boxes are ticked: System memory Startup objects Boot sectors System drive Then select "OK" and „Start scan“. The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue". Usually, your system needs a reboot to finish the removal process. Logfiles can be found on your systemdrive (usually C: ), similar like this: Reports are saved here C:\KVRT_data\Reports and look similar to this report_20221126_103821.klr Right click direct onto those reports, select > open with > Notepad. Save the files and attach them with your next reply Link to post Share on other sites More sharing options...
ThePinus Posted November 27, 2022 Author ID:1543410 Share Posted November 27, 2022 Hi, I think we are done, found that annoying trojan (proxygen) on system memory and fixed with kaspersky tool. Thanks a lot for your support. I wait for an answer if any other step is required to consider my PC safe. report_2022.11.27_19.00.30.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 27, 2022 ID:1543456 Share Posted November 27, 2022 (edited) Hello @ThePinus There were a handful of threats that Kaspersky KVRT apparently could not remove. We need to do a follow-on cleanup. This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on Edge & Chrome & Firefox. To rebuild the Winsock. To attempt to check the system with Microsoft Defender antivirus. It will also do other cleanups, like a rogue scheduled task & a hijacker. This is not a cure-all. Rather, it is meant as general check & cleanup. This custom script is for Thepinus machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRST64.exe on the Downloads folder to run a custom script . The system will be rebooted after the script has run. Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Edited November 28, 2022 by Maurice Naggar Link to post Share on other sites More sharing options...
ThePinus Posted November 28, 2022 Author ID:1543533 Share Posted November 28, 2022 Hi, Maurice. I manually removed C:\Users\casto\Desktop\CUBASE PRO 10.5 Pro\2.Soft-eLicenser bundle b15.exe before. Here's Fixlog, as requested. Thanks. Fixlog_28-11-2022 09.11.17.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 28, 2022 ID:1543614 Share Posted November 28, 2022 Windows Resource Protection found corrupt files and successfully repaired them. [ Do a custom scan with Microsoft Defender Antivirus ] Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. On the next display, look at all the options. Look down the list and see "Check for Updates" . You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete. Please also note that the Scan options (all) can be displayed by clicking on Scan options. Click that & select CUSTOM scan & then pick the C drive & have it go forward. Once it has started the scan phase, you can go take a long break. Let me know the results. Link to post Share on other sites More sharing options...
ThePinus Posted November 29, 2022 Author ID:1543691 Share Posted November 29, 2022 Good morning / evening, that's the scan result. Link to post Share on other sites More sharing options...
ThePinus Posted November 29, 2022 Author ID:1543692 Share Posted November 29, 2022 Also I've found these files as allowed threats. What can I do? Link to post Share on other sites More sharing options...
ThePinus Posted November 29, 2022 Author ID:1543694 Share Posted November 29, 2022 In allowed threat section (2nd screenshot) there's a clickable button "dont't allow" when I expand every single item. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted November 29, 2022 Solution ID:1543729 Share Posted November 29, 2022 @ThePinus Look on the Downloads folder. If you see MSERT.exe go ahead and delete it. You should do a new download. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan . Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
ThePinus Posted November 30, 2022 Author ID:1543816 Share Posted November 30, 2022 Hi, very good news. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 30, 2022 ID:1543904 Share Posted November 30, 2022 Results Summary: ---------------- No infection found. Temporarily disable Microsoft SmartScreen to download the next software below I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save t he tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt When all done, you may go back to turn ON the EDGE Smartscreen protection. and Tell me, do you need some other help at this point ? Link to post Share on other sites More sharing options...
ThePinus Posted December 1, 2022 Author ID:1543968 Share Posted December 1, 2022 Hi, Maurice. appreciated your support and patience, can consider the case closed. Have a great time! SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 1, 2022 ID:1543990 Share Posted December 1, 2022 with Malwarebytes for Windows. Do a Check for Update using the Malwarebytes Settings >> General tab. See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Here are all the other applications that need your attention & follow-up: Git v.2.36.0 Warning! Download Update Oracle VM VirtualBox 6.1.34 v.6.1.34 Warning! Download Update Node.js v.16.16.0 Warning! Download Update 7-Zip 19.00 (x64) v.19.00 Warning! Download Update Discord v.1.0.9004 Warning! Download Update Slack v.4.26.2 Warning! Download Update WhatsApp v.2.2236.10 Warning! Download Update Zoom v.5.12.2 (9281) Warning! Download Update I am glad to have worked with you. We can proceed with cleanup of tools we used. To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Delete msert.exe Delete esetonlinescanner.exe Delete KVRT.exe Delete Securitycheck.exe Any other download file I had you download, you may delete. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. I am marking this case for closure. I wish you all the best. Stay safe. Sincerely. Maurice Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 1, 2022 ID:1543991 Share Posted December 1, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts