Accidentally opened an .scr file

[mutasim]

Hi,

Help please, I just opened an .scr file that I am now worried that it contained a virus. How can I check that it hasn’t installed something unwanted on my PC?

Thank you in advance.

[mutasim]

I have read similar thread and did some steps FRST.txtAdwCleaner[C00].txtAddition.txtMalwarebytes.txt

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

(   2   )

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Just a note. The Malwarebytes has removed several riskwares & many P U P. We will be doing, later on, several other scans & checks. Have lots of patience. There is much more to do.

Edited July 14 by Maurice Naggar

[mutasim]

 

hi thx for replay i added msert.log msert.log

[Maurice Naggar]

Scan Results:
-------------
Threat Detected: Trojan:VBS/Miner and Removed!
  Action: Remove, Result: 0x00000000
    file://C:\Users\omar sh\AppData\Roaming\libraries\vcruntime140dd.dll
        SigSeq: 0x00002667A09A97EC

Results Summary:
----------------
Found Trojan:VBS/Miner and Removed!

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[mutasim]

this is it

eset scan log.txt

[Maurice Naggar]

Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\omar sh\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\omar sh\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230716_203000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply

[mutasim]

okay i add it 

 

 

<Report>
    <Metadata Version="1" PCID="{4E95A124-6E66-4F50-C6D0-498BE7138E4A}" LastModification="2023.07.16 20:38:32.419" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="1812186" Found="1" Neutralized="0">
            <Event0 Action="Scan" Time="133339958109633669" Object="" Info="Started" />
            <Event1 Action="Detect" Time="133339992950241183" Object="C:\Windows\SysWOW64\msnetf32.Vexe" Info="HEUR:Trojan.Win32.StrongPity.gen" />
            <Event2 Action="Scan" Time="133339995305740043" Object="" Info="Finished" />
            <Event3 Action="Select action" Time="133340027028645458" Object="C:\Windows\SysWOW64\msnetf32.Vexe" Info="Delete" />
            <Event4 Action="Disinfection" Time="133340027028655457" Object="" Info="Started" />
            <Event5 Action="Quarantined" Time="133340027028685441" Object="C:\Windows\SysWOW64\msnetf32.Vexe" Info="" />
            <Event6 Action="Cure failed" Time="133340027028685441" Object="C:\Windows\SysWOW64\msnetf32.Vexe" Info="" />
            <Event7 Action="Disinfection" Time="133340027031235661" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report>
 

[Maurice Naggar]

Hello. @mutasim Here are the next actions.
Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

(  2  )

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

(  3  )

My understand English and I need to have the next reports to show English-language remarks when I next see them. Please do this for me.
Open Windows File Explorer
go to the folder C:\Users\omar sh\Downloads\Programs

Look for the file named FRST64.exe
and do a RIGHT-click on it and select "Rename"
and then renamed it to

FRSTENGLISH.exe

tap Enter-key and reply YES to allow it to apply that action.

(  4  )

Please run the following custom script. Read all of this before you start. This is intended to check integrity and to do some housekeeping. We will do more checks after this run.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will attempt to run some scans with Microsoft Defender antivirus. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It will remove the file flagged by Kaspersky scan. Depending on the speed of your computer this fix may take 50-55 minutes or more. This run is like a housekeeping run and a mini tune-up.

Please Close all open work before you actually do begin this run.

Farbar  FRSTENGLISH program location:   C:\Users\omar sh\Downloads\Programs folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to C:\Users\omar sh\Downloads\Programs

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

With File Explorer go to folder  C:\Users\omar sh\Downloads\Programs folder

Right-click with your mouse on  FRSTENGLISH and select "Run as Administraor" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the C:\Users\omar sh\Downloads\Programs folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply from C:\Users\omar sh\Downloads\Programs

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Edited July 17 by Maurice Naggar

[mutasim]

okay Fixlog.txt

[Maurice Naggar]

The custom-run is good. The Windows System File Checker has made some corrections.

Windows Resource Protection found corrupt files and successfully repaired them.

This last run has completed what was originally intended. 

[ Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[mutasim]

He found one thing and removed it

Program:Win32/Wacapew.C!ml

file: C:\Program Files\Syrian Warfare\bin\steam_api.dll

[Maurice Naggar]

Hello. Thank you for that run & the information.

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

[mutasim]

okay, its not find anything 

[Maurice Naggar]

Has the TrendMicro Housecall scan fully completed ?  Please advise and confirm. 

I would recommend getting  readout reports as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then

                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Next,

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender
• Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Sincerely. Thank you. 😃

[mutasim]

Yes fully completed 

SecurityCheck.txt FSS.txt

[Maurice Naggar]

The SecurityCheck has highlighted these apps, addons, programs for your action.
Notepad++ (64-bit x64) v.7.4.1 Warning! Download Update

ASUS Live Update v.3.6.8 Warning! Your Windows may have been compromised. Please download diagnostic tool.

7-Zip 16.04 (x64) v.16.04 Warning! This software is no longer supported. Uninstall old version, download and install new one.

WinRAR 5.50 (64-bit) v.5.50.0 Warning! Download Update
7-Zip 23.00 (x64 edition) v.23.00.00.0 Warning! Download Update
Uninstall old version and install new one.

WhatsApp v.0.3.2848 Warning! Download Update

Zoom v.5.13.3 (11494) Warning! Download Update

qBittorrent 4.1.5 v.4.1.5 Warning! Download Update

VLC media player v.3.0.1 Warning! Download Update

Spotify v.1.0.98.78.gb45d2a6b Warning! Download Update

K-Lite Codec Pack 9.6.0 (Basic) v.9.6.0 Warning! Download Update

QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.

Adobe Flash Player is a old old ancient technology. It is very risky now !!
Adobe Flash Player 24 NPAPI v.24.0.0.194 Warning! This software is no longer supported. Please uninstall it.

Adobe Flash Player 32 PPAPI v.32.0.0.156 Warning! This software is no longer supported. Please uninstall it.
 
Mozilla Firefox 72.0.2 (x64 ar) v.72.0.2 Warning! Download Update

Vivaldi v.2.2.1388.37 Warning! Download Update

---------------------------- [ UnwantedApps ] -----------------------------
VdhCoApp 1.6.3 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. 

UC Browser v.7.0.185.1002 --IF you did not knowlingly & willfully add this, then Uninstall it.

[mutasim]

okay thx for help

 

[Maurice Naggar]

You are very welcome. I am glad to have worked with you.

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select

RENAME

& then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete Securitycheck.exe
Delete Fss.exe
Delete Esetonlinescanner.exe
Delete msert.exe

Delete KVRT.exe

Delete HouseCallLauncher

Adwcleaner you may keep and use as needed.
Any other download file I had you download, you may delete.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

Edited July 28 by Maurice Naggar

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you