Sam1912 Posted September 8, 2023 ID:1588015 Share Posted September 8, 2023 Hello, i recently deleted a virus called leaj.exe in my pc, seems like its erased atleast Malware Bytes wasn't able to find a thing on my pc so i think it's completely deleted but somehow when i turn on my pc it opens a lot of windows files explorer at this direction C:\Users\Sam\AppData\Local\Temp\chrome_url_fetcher_8780_753111255 and opens all those chrome url folders that are created at temp, the thing is i delete them and when i turn off my pc i make sure there arent any of them in temps folder and when i turn on they all appear, i only have brave and microsoft edge installed i never use google chrome so i dont get it, and not sure why they all open when i turn on my pc, plus it also opens a txt file called mbsetup, yes like the installator for malwarebytes and it seems to list all my programs and open stuff at a usb i have conected the thing is the folders its says it is trying to open doesnt exist in my usb. help please Link to post Share on other sites More sharing options...
Porthos Posted September 8, 2023 ID:1588020 Share Posted September 8, 2023 @Sam1912 While you are waiting for the next qualified/approved malware removal expert helper to take on your case, even though you may have run the following Malwarebytes utility or its subsets, please carefully follow these instructions: Do not try any other cleaning of any kind after running the support tool. Use the computer as little as possible, or even better don’t use it at all except to check this topic and follow the instructions given. First, Restart the computer. Then do the following after restart. WARNING: Do Not click the Repair System under Advanced unless requested by a Malwarebytes support agent or authorized helper Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control (UAC) pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste. For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent. Thank you. 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 8, 2023 ID:1588027 Share Posted September 8, 2023 Hello @Sam1912 My name is Maurice. I will guide you. Let's keep these principles as we go along. Please attach the ZIP report cited above by my colleague Porthos. Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/ Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/ After you have submitted mbst-grab-results.zip Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it guide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner Guide article Attach the clean log from Adwcleaner when all completed. 1 1 Link to post Share on other sites More sharing options...
Sam1912 Posted September 8, 2023 Author ID:1588049 Share Posted September 8, 2023 Hello again @Maurice Naggar and @Porthos i did everything told me to do, i did an adwcleaner scan and it found nothing after 2 scans, so i will attach the file that was requested me to, and wait for your response thanks in advance. mbst-grab-results.zip Link to post Share on other sites More sharing options...
Sam1912 Posted September 8, 2023 Author ID:1588050 Share Posted September 8, 2023 Hello again @Maurice Naggar and @Porthos i did everything told me to do, i did an adwcleaner scan and it found nothing after 2 scans, so i will attach the file that was requested me to, and wait for your response thanks in advance. AdwCleaner[S00].txt AdwCleaner[S01].txt AdwCleaner[S02].txt Link to post Share on other sites More sharing options...
Sam1912 Posted September 8, 2023 Author ID:1588051 Share Posted September 8, 2023 So sorry for the two same messages, i forgot to attach adwcleaner logs :D Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 8, 2023 ID:1588054 Share Posted September 8, 2023 Thanks. I am guiding you. The Malwarebytes program is present and installed. Start Malwarebytes. Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 There is much more even after this. 1 Link to post Share on other sites More sharing options...
Sam1912 Posted September 8, 2023 Author ID:1588073 Share Posted September 8, 2023 Okay, thanks for your fast response, i've done the scan, put everything detected in quarentine and deleted everything, now i am attaching the log from the scan MBscanlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 8, 2023 ID:1588075 Share Posted September 8, 2023 That is very helpful. We will do more scans, later. As a next step, I suggest the following: This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review 1 Link to post Share on other sites More sharing options...
Sam1912 Posted September 9, 2023 Author ID:1588141 Share Posted September 9, 2023 Hello again Mr Maurice, yesterday the scan took about 3 hours to complete, i was busy doing some stuff so i decided to send it out today in case you were sleeping, hope it wasn't any problem, i today turned on my pc and it only oppened every single log from the temp folder, plus it seem the chrome_url_fetcher folder are created by brave, so the only thing my pc dows now its that basically opens every folder in temp folder and every .txt file, i will attach the ESET scan log and all the txt files that it opened. Thanks in advance. Esetscan.txt log.txt mbst-clean-results.txt mbst-stub-results.txt Service mb_errors999.log Service mbamiservice.log StructuredQuery.log cv_debug.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 9, 2023 ID:1588173 Share Posted September 9, 2023 The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand. This link is for the 64-bit version of MSERT.exe . Be sure you save the file first https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Link to post Share on other sites More sharing options...
Sam1912 Posted September 10, 2023 Author ID:1588337 Share Posted September 10, 2023 Hi once more Mr @Maurice Naggar i did the requested scan and i will attach the result to this post, thanks in advance msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 10, 2023 ID:1588341 Share Posted September 10, 2023 (edited) The MS Safety Scanner found & removed several threats. Found HackTool:Win32/crack and Removed! Found VirTool:Win32/DefenderTamperingRestore and Removed! Edited September 10, 2023 by Maurice Naggar amended Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 10, 2023 ID:1588343 Share Posted September 10, 2023 Sophos Scan & Clean Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Attach the results in your next reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Please attach that log on your next reply Thank you Link to post Share on other sites More sharing options...
Sam1912 Posted September 10, 2023 Author ID:1588354 Share Posted September 10, 2023 I'm more than glad to hear that some threats were removed, thanks @Maurice Naggar for your help, however, i was trying to download Sophos Free Virus Removal Tool but i can't, the email for the further validation required to download the tool never arrives. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 10, 2023 ID:1588375 Share Posted September 10, 2023 You ought to check the Junk or Spam folders of your email account. Anyhow, we can skip the Sophos, and use another scanner. One other scan here. TrendMicro HouseCall scan from this Link First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it. The program will check with TrendMicro & do a update run. Next it will show the Disclosure window. Click Next to proceed. The end user license agreement is presented. Click the Accept radio button & click Next to proceed. I suggest a CUSTOM scan on C drive. IF you wish a Full scan or a Custom scan, first click on the Settings then you can select which drives you want to include in the scan. The default is a Quick scan. Click Scan now when ready. The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase. When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option. If you see an item that you know is safe, you can click the Action , and select Ignore. When all done & ready, click the Fix now button. The "Summary" at the end at "Review Results" is what matters. Link to post Share on other sites More sharing options...
Sam1912 Posted September 12, 2023 Author ID:1588719 Share Posted September 12, 2023 Hello Mr @Maurice Naggar i did the scan and took more than 300 minutes, at the end of the summary it said that there weren't any infected files, i don't know if theres some log you may need, if there is please tell me the location of the file and i will get it, thanks once more. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 12, 2023 ID:1588721 Share Posted September 12, 2023 Very glad to read that TrendMicro Housecall reported no threats. That is re-assuring. Now a different scan with another security scanner. You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open. This with Kaspersky KVRT tool. Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop. Next, Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\Sam\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencrypt C:\Users\Sam\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important. To start the scan select OK in the "Run" box. The Windows Protected your PC window "may" open, IF SO then select "More Info" A new Window will open, select "Run anyway" A EULA window will open, tick both confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure the following boxes are ticked: System memory Startup objects Boot sectors System drive Then select "OK" and „Start scan“. The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue". Usually, your system needs a reboot to finish the removal process. Logfiles can be found on your systemdrive (usually C: ), similar like this: Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20230913_203000.klr Right click direct onto those reports, select > open with > Notepad. Save the files and attach them with your next reply Link to post Share on other sites More sharing options...
Sam1912 Posted September 15, 2023 Author ID:1589231 Share Posted September 15, 2023 Hello again Mr @Maurice Naggar, so sorry for the big delay but i havent been on home these days, as soon as i got home i did the required scan, i'll be attaching the log.Thanks report_2023.09.15_20.38.16.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 16, 2023 ID:1589270 Share Posted September 16, 2023 Very good. Thanks Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 21, 2023 Root Admin ID:1590359 Share Posted September 21, 2023 How is the computer running now @Sam1912 Link to post Share on other sites More sharing options...
Sam1912 Posted September 21, 2023 Author ID:1590383 Share Posted September 21, 2023 It was still doing Sam thing, opening all folders, .txt and.log files in the temp folder, so I decided to format the HDD and all partitions, even the system ones and installed W10 once again, now it seems to be perfectly gone, thanks for asking Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted September 21, 2023 Root Admin Solution ID:1590397 Share Posted September 21, 2023 Great, glad all seems to be well now. If you like you can post a new set of logs and we can verify if anything odd found or not. To begin, please do the following so that we may take a closer look at your installation for troubleshooting: NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download the Malwarebytes Support Tool In your Downloads folder, open the mb-support-x.x.x.xxx.exe file In the User Account Control pop-up window, click Yes to continue the installation Run the MBST Support Tool In the left navigation pane of the Malwarebytes Support Tool, click Advanced In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply Thank you 1 Link to post Share on other sites More sharing options...
Sam1912 Posted September 23, 2023 Author ID:1590875 Share Posted September 23, 2023 Hello, good afternoon/night Mr @AdvancedSetup, so grateful about your help and your kinds support, I really appreciate it, however I think there will be no need to do this scan and log exhaustive checking, for that reason even though it might be good to check just to be sure I decide to not do it because all problems that were bothering me and all the information people with not good intentions could try to reach are no longer in my pc or in any place because for extra security I deleted it with a secure file eraser so it won't leave any traces behind, once more thanks for your support and for be actively checking threads like this that haven't been consistently finished or closed, have a good day/night Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 23, 2023 Root Admin ID:1590896 Share Posted September 23, 2023 Okay then @Sam1912 Thank you for the kind words. Let's go ahead and do some clean-up work and remove the tools and logs we've run. Please download KpRm by kernel-panik and save it to your desktop. right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, ensure all boxes under Actions are checked. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log will open in Notepad titled kprm-(date).txt. Please attach that file to your next reply. (not compulsory) Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site. https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/ Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security Malwarebytes Browser Guard Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ uBlock Origin Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes 1 Link to post Share on other sites More sharing options...
Recommended Posts