Jump to content

Ransomware email : didn't open file but need assistance


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello,

I received an email three days ago with the subject line that my email has been hacked, I did not open the email but contacted my ISP regarding my account and they requested that I forward the email to them as I had already downloaded it from their server. When forwarding the email I could see the content in a preview screen and it was certainly requesting that I pay a ransom within 48hrs or my files would be locked (I am not sure whether seeing that preview triggered anything or not).

I have Malwarebytes premium and it hasn't detected anything in the scans that I have been performing on a daily basis, additionally there has not been any obvious infection signs. It would certainly put my mind at ease if simply deleting the email would remove any fears that I have that my computer is actually infected.

Attached are the required  FRST and MB threat log files.

TIA for any assistance that you can provide

Octagonal1

Addition.txt FRST.txt MB Threat Scan.txt

Link to post
Share on other sites

Hello @Octagonal1 and welcome back:

Although the Email is likely a scam, please follow the procedure below:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

The Malwarebytes scan of morning of 7th March is good.
Have you done a scan with the Kaspersky Total Security today? If not, please do that.
Note that I do not expect any actual infection as a after-effect of getting the phishing email message, That was a scam and a lure.

Link to post
Share on other sites

11 hours ago, Octagonal1 said:

The Kaspersky license expired some time ago and I haven't renewed it so I cannot scan with that program,

Are you real sure that the Kaspersky will not run ? I mean to say, see about launching the program and attempt a scan with Kaspersky. Unfortunately, since this machine is running Vista Service pack 2 ( which reached end of Microsoft life support) as of Apr 11, 2017, ( that is the Extended end date. The actual mainstream end-date was April 2009) there are a very few antivirus tools that can possibly be used to check it.
I am honestly not sure that the Microsoft Safety Scanner will run on this. However, let us give it a try.
If it errors out, kindly provide the error-exception message you see.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. 

 

Link to post
Share on other sites

Yes really, KTS won't scan as it's asking me to renew license to be able to (see attached screen msgs), I can open KTS but scanning and updates are disabled as it has been a couple of years since the license expired (The warning and issue in one ss refer to License not current and a couple of updates not installed).

I downloaded MSERT and unfortunately it will not run (see attached screen msgs), it appears that Windows 7 is the minimum version required to run.

Kasp1.JPG

Kasp2.JPG

MSERT1.JPG

MSERT2.JPG

Link to post
Share on other sites

Delete MSERT.exe

It needs to be said: If KTS does not scan, and if you will not be renewing the license, then you ought to Uninstall KTS.
Yes, MSERT minimum is at least having Windows 7.
It needs to be said, also, you ought to seriously think of migrating onto a new machine capable of running Windows 11.

This machine "should " be able to run a scan of the TrendMicro Housecall scan tool.

TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Hey Maurice,

As requested, I deleted MSERT.exe and removed KTS.

I could load the TrendMicro page ok and I attempted several times to download the Housecall Launcher but the webpage kept hanging when I tried to download the Launcher (maybe outdated browser issue... I'm not sure), so I downloaded the Launcher file using another device and transferred it to the computer. However, when running the file it would get to 67% and then throw an error msg relating to "an internal error" (error msg attached, and yes I ensured that it was the correct platform and version), I tried to run the file several times but got the same result each time.

The 48hrs has expired and I still appear to have all files intact on the computer, so possibly it was just a phishing email and I will take your advice and purchase a new updated desktop computer to migrate to. I apologise if I have been an inconvenience or wasted your valuable time and sincerely thank you for your patience in dealing with my issue.

One last thing, do you recommend installing another AV program to run alongside MB on the new computer and if so, which one do you suggest?

Regards

Octagonal1 

Housecall Error.JPG

Link to post
Share on other sites

Windows 11 ( as does Windows 10) comes pre-equipped and loaded with Microsoft Defender antivirus as "the" antivirus. You will do fine with it alongside Malwarebytes Premium.

Go ahead and delete the Trendmicro Housecall download. Too bad it too could not run. Alas, Vista is an operating system from the 1st decade of this century. Do realize that security holes even in the current operating systems are discovered on a ongoing basis. It is key to have a modern , current, and up-to-date Operating System.

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites

  • Solution

Per the SeecurityCheck report, these programs need your attention & follow-up.
Microsoft Office Enterprise 2007 v.12.0.6612.1000  Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice

Microsoft .NET Framework 4.5.2 v.4.5.51209  Warning! Download Update

Microsoft Office 2007 Service Pack 3 (SP3)  Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice

NVIDIA GeForce Experience 2.1.1 v.2.1.1  Warning! Download Update

HandBrake 1.0.7 v.1.0.7  Warning! Download Update
 
VLC media player 2.0.5 v.2.0.5  Warning! Download Update

iTunes v.12.1.3.6  Warning! Download Update
^Please use Apple Software Update tool.^

QuickTime v.7.74.80.86  Warning! This software is no longer supported. Please uninstall it and use another software.

Adobe AIR v.2.7.1.19610  Warning! This software is no longer supported. Please uninstall it.

Adobe Reader X (10.1.16) v.10.1.16  Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat Reader DC.

Mozilla Firefox 52.9.0 ESR (x86 en-GB) v.52.9.0  Warning! Download Update

Mozilla Thunderbird 52.9.1 (x86 en-GB) v.52.9.1  Warning! Download Update

Link to post
Share on other sites

Hi Maurice,

A new PC next week will be purchased next week and the programs that I no longer use will be deleted and all necessary ones I will update accordingly.

I thank you for your time and patience, you can close this thread as I believe it is now resolved.

Regards

Octagonal1

Link to post
Share on other sites

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)


Sincerely.
Link to post
Share on other sites

  • 2 weeks later...

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.