APurpleNarwhal Posted June 19, 2023 ID:1573266 Share Posted June 19, 2023 I had a scan from Windows Defender last night and it found a threat and blocked it. I chose to do the Remove action on the virus, however looking up about the trojan online has me doubtful that it is actually gone from my computer. I did another full scan with Windows Defender and a Threat Scan with Malwarebytes that came clear today but I'm very worried that the dangerous trojan is still on my System. I can't check if the threat was removed via Windows Defender Protection History as nothing shows up for the history, though I did take a snapshot of the Threat being found. The blocked out section is just my email username. Section reads Attachments\username Voucher. What can I do to guarantee that this virus is gone? Addition.txt FRST.txt TScanMB19-06-23.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 19, 2023 ID:1573369 Share Posted June 19, 2023 Hello @APurpleNarwhal I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article Please use this Guide What was flagged was in a temporary-type file & was apparently a HTML form from a website. ( we will later run a custom script to empty out all temporary-type files). For the time being, do this special scan. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand. This link is for the 64-bit version of MSERT.exe . Be sure you save the file firsthttps://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 20, 2023 Author ID:1573447 Share Posted June 20, 2023 I've set File Explorer to Show All Folders, downloaded MSERT and ran the custom scan on the C drive with it as the only process. Attached is the MSERT log. Not sure if it matters but I run two drives: a C drive SSD which has the windows stuff, and an E drive HDD which has games and other files. The Show Libraries in the navigation pane was also unchecked before I enabled showing all folders, but I left it as is. msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 20, 2023 ID:1573511 Share Posted June 20, 2023 Thanks. The MS Safety Scanner found no threats of any sort. This indicates that any old "threats" are no longer present. Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Tue Jun 20 16:51:05 2023 I expect that what you saw on-screen is a old leftover trace of history. For now, let us just do a different scan. This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 21, 2023 Author ID:1573620 Share Posted June 21, 2023 Did the Eset scan. Everything was already selected in the Custom Scan options (including the C drive) so I left the Custom Scan settings as is, before scanning. Attached is the Eset results. ScanEset21-06-23.txt Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted June 21, 2023 Solution ID:1573719 Share Posted June 21, 2023 Cleaned files: 2 E:\backup\Documents\HiSuite\backup\HUAWEI P9_2019-12-01 14.30.44\com.nekki.vector.apk a variant of Android/Inmobi.D potentially unsafe application cleaned by deleting E:\gigabyte\Other\Marvell\MSU\Setup.exe Win32/PrcView potentially unsafe application cleaned by deleting NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will reset the Winsock file. It will get selected readouts on some Windows services. It will attempt to clear temporary cache files on web browsers. It will attempt to do scans with Microsoft Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more. You will see a green scrolling bar when the FRST64 custom script is running, on the FRST64 window. This next job will end all open applications and then do its work. Please read all of this. Close and save any currently open work you may have at this time. The tool FRST64.exe tool is already on this machine on your Desktop folder ( keep that in mind ) Please download the attached fixlist.txt file and save it to folder Desktop Fixlist.txt<-- - - - - NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Use File Explorer to go to the DESKTOP folder RIGHT-Click on FRST64 and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. We will do more, later. Please have much patience. I am a volunteer. I am not on all the time. 1 Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 22, 2023 Author ID:1573837 Share Posted June 22, 2023 Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 22, 2023 ID:1573895 Share Posted June 22, 2023 The custom-run is good. The Windows System File Checker has made some corrections. Windows Resource Protection found corrupt files and successfully repaired them. This last run has completed what was originally intended. The ".shtml" file cited in screen-grab does not exist. The old history of MS Defender was been cleared. Let us now do a manual quick scan. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see that Microsoft Defender is shown & available for use. On the next display, look at all the options. Look down the list and see "Check for Updates" . You should click on that to have the system check for updates for Windows Defender. Watch & wait for that to complete. Please also note that the Scan options (all) can be displayed by clicking on Scan options. Click on "Quick scan". Once it has started the scan phase, you can go take a break. Let me know the results. Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 22, 2023 Author ID:1573899 Share Posted June 22, 2023 I've gone to the Virus and Threat Protection location but it's got Malwarebytes shown instead of Microsoft Defender. How should I proceed? Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 22, 2023 ID:1573908 Share Posted June 22, 2023 You just need to adjust Malwarebytes setting. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. > Then go about running the MS Defender scan, Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 22, 2023 Author ID:1573912 Share Posted June 22, 2023 Thanks for that. The quick scan from Microsoft Defender came clean. As an aside, how likely was it that the threat was not a false alarm and managed to steal data from my computer? This has been worrying me for a bit, but maybe I'm overthinking things. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 22, 2023 ID:1573925 Share Posted June 22, 2023 First, recall that the MS Defender message display from the 18th did show status removed While granted the MS Defender is super picky, there is no basis for surmising that the flagging was a false positive. You are over-thinking it. 2 suggestions here. The first is for housecleaning of temporary files.( 1 ) Open an elevated Command-prompt window i.e. run Command Prompt as an administrator . On the Taskbar Search box, type incmd.exe click the line for "run as administrator" On that Command-prompt, Copy & Paste this commandcleanmgr.exe press Enter-key on keyboard and watch & write down the result on the tab "Disk Cleanup" then on the scrollable window marked "Files to Delete" be sure to UN-tick the box on the line "Downloaded Program files" DO tick the check boxes on these lines: Windows Update Cleanup Windows upgrade log files Temporary Internet Files Recycle Bin Temporary files Any other lines you can un-tick. The 5 lines selected above should account for a sizable amount of space that can be freed-up. then click OK to proceed you will get a "Are you sure" prompt click on "Delete Files" button It will show a progress window. When it finished, it will auto-close its window. ( 2 ) If it helps you to allay your concerns, you can consider to change all passwords for all your accounts. see this post https://forums.malwarebytes.com/topic/284814-are-your-passwords-in-the-green/ Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 23, 2023 Author ID:1573979 Share Posted June 23, 2023 I was worried as the trojan file seemed to be an email attachment from an email I received two months ago. I don't recall opening the attachment at all, however it ended up still being on my PC. The real-time protection from my antivirus apps didn't detect anything for over the two months, up until I manually full scanned last Sunday. My previous manual scan was a long while ago, so I fear it may potentially have stuck around on my PC for up to two months. To be safe, I'll change my passwords anyways. Probably a good habit to do it every so often, along with the scans. When I wrote the cleanmgr.exe line and pressed Enter, the result was Disk Cleanup being opened. I didn't observe anything else occuring. For the Disk Cleanup, I couldn't find a line for the Windows upgrade log files, so I checked off the four that I could see. If I'm not mistaken, it looks like everything is all good for my PC. Thanks for helping guide me and repairing my PC, Maurice. I appreciate the assistance immensely. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 23, 2023 Root Admin ID:1573984 Share Posted June 23, 2023 Up to @Maurice Naggar but we can clean up some other items that are not malware but not really needed by the system if you want. As for changing password, do not change any from this PC until Maurice gives you the all clear sign. Cheers @APurpleNarwhal Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 23, 2023 Author ID:1573985 Share Posted June 23, 2023 Alright, I'll hold off from doing anything until then. Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 23, 2023 ID:1574114 Share Posted June 23, 2023 @APurpleNarwhal You mentioned you did run Cleanmgr for as many options that you saw. Alright. We are nearly near the end. 1. Just do a new scan with Malwarebytes. ( 2 ) Temporarily disable Microsoft SmartScreen to download the next software below I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt When all done, you may go back to turn ON the EDGE Smartscreen protection. Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 24, 2023 Author ID:1574256 Share Posted June 24, 2023 Did the Malwarebytes full scan and SecurityCheck. Here are the logs: ScanMB24-06-23.txt SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 24, 2023 ID:1574312 Share Posted June 24, 2023 Per SecurityCheck these application programs need your attention. Microsoft Visual Studio Code (User) v.1.77.3 Warning! Download Update Discord v.1.0.9010 Warning! Download Update Microsoft Teams v.1.5.00.30767 Warning! Download Update Zoom v.5.14.8 (16213) Warning! Download Update Razer Cortex v.10.7.7.0 Warning! Computer experts no longer recommend this program. The Malwarebytes scan is very good. We can proceed to wrap-up this case. Let's go ahead and do some clean-up work and remove the tools and logs we've run.Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_2-14.exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. You may attach that file to your next reply. (not compulsory) Delete mb-support-1.8.7.918.exe Delete mbst-grab-results.zip on the Desktop. Sincerely. Link to post Share on other sites More sharing options...
APurpleNarwhal Posted June 25, 2023 Author ID:1574331 Share Posted June 25, 2023 Updated and deleted apps, ran KpRm and attached log. Couldn't find mb-support and mbst files on Desktop so I'm assuming they're already gone. kprm-20230625122323.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 25, 2023 ID:1574375 Share Posted June 25, 2023 The run is fine. This Windows system is good-to-go. All clear. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. SAFETY TIPS: Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/ It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next". Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine. Don't remove ( or change ) your current login. Just use the new Standard-user-level one for everyday use while on the internet. Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" Stay safe. 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted June 25, 2023 ID:1574376 Share Posted June 25, 2023 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts