Flauschi64 Posted September 22, 2023 ID:1590708 Share Posted September 22, 2023 I know there are several topics to this problem, but I didn´t wanted to write in to anothers people problem shooting. Downloaded an .exe, scanned it, no detection,but since executing it...see screenshot. Attached the detections. Already scanned with avast, kaspersky (KVRT), MSERT and ESET Online, but none of them did solve the problem :( After detection and deleting via MBAM, it is there again...please help! 22092023.txt mbst-fix-results.txt mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590720 Share Posted September 22, 2023 Hello @Flauschi64 My name is Maurice. I will guide you. Thanks for the reports. Know that Malwarebytes is keeping the pc safe from potential threat. What is being blocked is the I P address. (Know that the reports are more useful than a screen-grab image). Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/ Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/ Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590722 Share Posted September 22, 2023 Hi Maurice, both done... Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590724 Share Posted September 22, 2023 Notice the notations on Malwarebytes scan report Quote Keine Aktion durch Benutzer Quote No action by user First some housekeeping, and then one Scan. There will be more later after all this. Start Malwarebytes. Click Settings ( gear ) icon. Next, let us make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. now Click the General tab. Under Application updates, click the Check for updates button. When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds. If prompted to do a Restart, just please follow all directions. Let me know how that goes. Next, the Malwarebytes scan Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 ( 2 ) Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it guide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner Guide article NOTE: IF Adwcleaner in the results shows "no items" flagged, then please click on the button marked "Run Basic Repair" Attach the clean log from Adwcleaner when all completed. Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590731 Share Posted September 22, 2023 Done, as always, 4 detections in MBAM. No detections in Adware 220920231738.txt AdwCleaner[C01].txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590738 Share Posted September 22, 2023 Go slow and careful to do all that is listed below, please. I need for you to download and be sure to SAVE the tool named FRST64.exe onto the DOWNLOADS folder. download & save a copy of the tool FRST64.exe from this link https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ Ignore all advertising and the ads on the page. Just be sure the FRST64 is saved. Then, go to folder Downloads. With your mouse, do a RIGHT-Click on FRST64.exe & select rename and rename it to FRSTENGLISH.exe That is important, so hopefully the next log will have English remarks ( so I can use it). NEXT, see if you can temporarily Turn Off the Comodo security ( so that it does not interfere with next task) NEXT Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine. NOTE-1: This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will attempt to insure a rogue scheduled Task is removed. It will attempt to clear Cache files of web browsers. It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more. Please Close all open work before you actually do begin this run. FRSTENGLISH,exe program location: Downloads folder. The tool is already on system. That is what we will use. Please download the attached fixlist.txt file and save it to Downloads Fixlist.txt <- < - - - - NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. NOTICE: For potential outside readers, This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm. Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590745 Share Posted September 22, 2023 Scan runned, for now, the message didn´t show up again Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590758 Share Posted September 22, 2023 Der Windows-Ressourcenschutz hat beschädigte Dateien gefunden und erfolgreich repariert. Windows Resource Protection found and successfully repaired corrupted files. One antivirus/security scan here. TrendMicro HouseCall scan from this Link First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it. The program will check with TrendMicro & do a update run. Next it will show the Disclosure window. Click Next to proceed. The end user license agreement is presented. Click the Accept radio button & click Next to proceed. I suggest a CUSTOM scan on C drive. IF you wish a Full scan or a Custom scan, first click on the Settings then you can select which drives you want to include in the scan. The default is a Quick scan. Click Scan now when ready. The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase. When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option. If you see an item that you know is safe, you can click the Action , and select Ignore. When all done & ready, click the Fix now button. The "Summary" at the end at "Review Results" is what matters. Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590763 Share Posted September 22, 2023 Server not found :( Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590764 Share Posted September 22, 2023 Try a different web browser. https://www.trendmicro.com/en_us/forHome/products/housecall.html Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590767 Share Posted September 22, 2023 Nope, not Firefox, Chrome and Edge...Same problem,server not avaiable Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590772 Share Posted September 22, 2023 One kast try with this http://www.trendmicro.com/de_de/forHome/products/housecall.html Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590774 Share Posted September 22, 2023 No,same here... :( Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590776 Share Posted September 22, 2023 Let us just forget that. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have lots of patience as the run can take several minutes to complete everything. Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. You may put those into a ZIP file & then ATTACH it. Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590781 Share Posted September 22, 2023 Ok, both in there FRST.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590795 Share Posted September 22, 2023 I would recommend getting a readout report as to update status of some key apps. Temporarily disable Microsoft SmartScreen to download the next software below Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt I would like to know. Did this machine used to have COMODO ? Did this machine used to have AVIRA ? Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590796 Share Posted September 22, 2023 Done. Both were temporarily installed today for scanning, hoping they´ll find the problem. Both are deinstalled already, but no restart since then, because we began to write ;) SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590802 Share Posted September 22, 2023 There are still at least 3 Comodo services still around. You must run the Comodo Removal tool 64-bit ( your Windows is 64 bit). Comodo does not have a all inclusive, simple page of instruction. which adds to making things more complex. Use this link-page here https://forums.malwarebytes.com/topic/127580-information-list-of-uninstaller-tools/ Scroll to where the line is listed for COMODO Click the spot marked x64 file. SAVE the file to your mahine on like the Downloads folder Having saved the file, now you want to run that tool. Look on the second half of this page about running the tool. https://help.comodo.com/topic-72-1-766-12685-Use-the-Comodo-Uninstaller-Tool.html When all completed, you want to be sure to Restart Windows. Once all done, please re-run the tool SecurityCheck.exe Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590809 Share Posted September 22, 2023 After doing so, windows couldn´t restart anymore, only bluescreens. I had to reset the system from a system backup point from FRST at 18:18 o´clock Link to post Share on other sites More sharing options...
Flauschi64 Posted September 22, 2023 Author ID:1590814 Share Posted September 22, 2023 my graphics card is now mining again, but mbam doesn´t show up the alert anymore, load 99 percent without doing anything Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 22, 2023 ID:1590830 Share Posted September 22, 2023 This is a good point to emphasize not playing online games or games in general, while the case is on-going. I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications. Apply these principles now from the following How-to How to perform a clean boot in Windows We need to turn off all auto-start applications as much as possible, like all Games, all Steam, PDF24, GOG NEXT Create an Autoruns Log: Please download Sysinternals Autoruns from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it. Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard. Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images Then click the Rescan button. Agree to the VirusTotal EULA Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns. Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply. Link to post Share on other sites More sharing options...
Flauschi64 Posted September 23, 2023 Author ID:1590955 Share Posted September 23, 2023 After my yesterday´s bluescreen post, I started all our steps again to this step, where we SCAN with FRSTenglish. Everything looked ok so far, but today at startup a bluescreen again, so I had to start from a system reset point (FRST 18:18pm) again. Mining at my graphics card detected but no alert from mbam after this. Now I did our last step, clear startup, only microsoft and security software working, closed all active tasks, like shown in the article,then reboot. No mining from this point. Attached now sysinternal zip DESKTOP-A69NLVH.zip Link to post Share on other sites More sharing options...
Flauschi64 Posted September 23, 2023 Author ID:1590968 Share Posted September 23, 2023 After another blue screen I had to choose a system recovery point again and found a entry from 15-09-2023 (long time before the trojan). I used this now. Does this help us? At this moment now activity in graphics card, no alert and scan in MBAM is clear... Link to post Share on other sites More sharing options...
Flauschi64 Posted September 23, 2023 Author ID:1590970 Share Posted September 23, 2023 At this moment NO activity in graphics card, no alert and scan in MBAM is clear... Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 23, 2023 ID:1590981 Share Posted September 23, 2023 I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Be sure it is SAVEd. Do a RIGHT-click on mb-support-1.9.2.9nn,exe & select "Run as administrator" and reply YES and ALLOW it to proceed. click Advanced >>> then Gather Logs Have patience till the run has finished. It may take several minutes to fully generate the report. Attach the mbst-grab-results.zip from the Desktop to your reply.. Link to post Share on other sites More sharing options...
Recommended Posts