Jump to content

Malware and Riskware block alerts


Go to solution Solved by MKDB,

Recommended Posts

Greetings to the online Malwarebytes community,

I've encountered some recent troubles stemming from an ill-advised decision to install a counterfeit PlayStation 5 emulator on my system. Fortunately, my computer remains unharmed, thanks to the protective shield of Malwarebytes. However, the continuous flood of alerts from Malwarebytes is nothing short of overwhelming.

Every passing second, a new notification appears on my screen, declaring "Malware blocked, name: RiskWare.Agent, Path: C:\Users\nicho\AppData\Local\Temp\v15.exe." It appears as though there's a concealed file that eludes both my view and Malwarebytes' detection, orchestrating the creation of riskware and Trojans.

I'm in need of guidance regarding the appropriate steps to take next. I'm going to provide the text files pertaining to the present riskware and past Trojan attempts found in Malwarebytes' history files.

Your assistance and advice would be greatly appreciated.

riskwareinstance.txt trojaninstance.txt

Link to post
Share on other sites

Hello  @Nicoretro  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please attach all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

 

 

Step 1

  • Please download the Malwarebytes Support Tool (MBST).
  • Run MBST and accept license agreement.
  • In the left navigation pane of MBST, click Advanced.
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.
  • Like 1
Link to post
Share on other sites

  • Solution

@Nicoretro

 

First, we will use Farbar Recovery Scan Tool (FRST) to run a fix. FRST was downloaded together with MBST and should be located in your download folder (C:\Users\nicho\Downloads\FRSTEnglish.exe)

The fix may take some time, please be very patient and do not interfere.

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to your download folder, which is C:\Users\nicho\Downloads\ in your case.
  • You will find the file FRSTEnglish.exe (FRST) as well in this folder.

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST.
  • Press the Fix button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

Thank you!

 

fixlist.txt

  • Thanks 1
Link to post
Share on other sites

Here is the log file you requested. It appears that my Real-Time Protection system no longer generates notifications after the completion of the FRST scan, which suggests the issue has been resolved.

In light of this, I am inclined to explore any remaining steps or delve into the logs and other data to identify the root cause of the initial problem.

Either way, I thank you for your help!

Fixlog.txt

  • Thanks 1
Link to post
Share on other sites

@Nicoretro

Thanks for the logfile and your detailed feedback.

 

Before finishing your topic here, I would like you to follow two more steps.

 

 

Step 1

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe".
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes.
  • When prompted for scan type, Click on Full scan
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.  (e.g. their standard program). You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  (in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

Step 2

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

  • Thanks 1
Link to post
Share on other sites

It would appear the issue is larger than anticipated.

I went looking into another problem on another forum and discussed with some members about potentially Windows Update being harmed due to their service, and it turned out it was a result of the malware.
In fact, after attempting Step 1, the scanner crashes or closes after a few seconds of opening it. I can't click fast enough to start the scan but I would imagine it still closes afterwards. I was able to complete Step 2, and I have uploaded the results to that as such. If for whatever reason I can perform Step 1 I will attach the logs from that as well.

SecurityCheck.txt

  • Sad 1
Link to post
Share on other sites

@Nicoretro

Crossposting (like you did) is not welcome.

There are always cases where users search for help in several forums at the same time. It's understandable that you want to get rid of your problem as quickly as possible, but it is counterproductive to have several forums dealing with your problem at once.

This may result in us refusing to further help you in your thread, as this is a sign of disregard for the work of your current helper here.

 

 

I'm aware of the fact that this malware can damage windows services as well and repairing isn't always easy.

 

 

If you would like to receive further help here in the Malwarebytes forum, please follow the steps below.

As long as you receive support here, we ask that you do not seek further help from other forums.

This is by no means a disrespect to the other forum members, but you should only choose one forum.

 

 

 

Step 1

  • Run FRST (C:\Users\nicho\Downloads\FRSTEnglish.exe) again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

Step 2

Please download Farbar Service Scanner (FSS) and and save it to your desktop.

  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services
  • Press the Scan button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.
Edited by MKDB
  • Thanks 1
Link to post
Share on other sites

@Nicoretro

Indeed, the newest logfiles show me that the malware has damaged at least three services.

 

We run another fix with FRST in order to repair that damage. The fix may take some time, please be very patient.

Depending on the fixlog, we do some more checks if everything is ok again.

 

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to your download folder, which is C:\Users\nicho\Downloads\ in your case.
  • You will find the file FRSTEnglish.exe (FRST) as well in this folder.

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST.
  • Press the Fix button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

Thank you!

 

 

fixlist.txt

Edited by MKDB
  • Thanks 1
Link to post
Share on other sites

@Nicoretro

Well done.

 

Let's do another check with FRST and FSS.

 

Step 1

  • Run FRST (C:\Users\nicho\Downloads\FRSTEnglish.exe) again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

Step 2

Please run FSS again.

  • Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender
  • Other Services
  • Press the Scan button.
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.
Link to post
Share on other sites

5 minutes ago, MKDB said:

thanks @Nicoretro

Are Windows Updates working correctly on your system?

Yes, they are. I won't know fully until there's a new update but I am able to access the menu and update drivers.
Unfortunately, my Microsoft Store is not functioning, which was one of the problems I had earlier. I am unable to download anything from there. I get an error message under code 0x80070006.
Looking that code up led to it claiming it was a network issue, but I am connected via Ethernet to my router and I have no trouble downloading things from the internet or other software.

Link to post
Share on other sites

8 minutes ago, MKDB said:

Go to Start > Settings > Apps > Apps & features > choose Microsoft Store > Advanced options > Try "Repair" or "reset"

 

Hi, I've just now attempted this and to no avail it does not solve the problem. I tried it on different apps and it still won't download, it goes straight to the error. When downloading an app it says beginning download then it cuts to error.
On one of my apps, specifically Minecraft Launcher, it only says Pending with a swirling circle. Trying to stop the circle or pause the download does nothing as well.

Link to post
Share on other sites

I've looked for other ways to repair Microsoft Store, but there is no solution method that guarantees success... just a clean install of windows.

Did I understand you correctly: The problem with Microsoft Store was already there before you system got infected with malware?

Are there any open problems regarding your malware problem @Nicoretro?

Link to post
Share on other sites

7 minutes ago, MKDB said:

The problem with Microsoft Store was already there before you system got infected with malware?

Before my system was infected with malware I had never used the store, but I noticed that the store stopped working properly after I had attempted using the minecraft website to install and got the same error. Using the file MinecraftInstaller.exe also does not work, claiming that "Windows is updating..." with no progress on the bar after opening it. The terms before installing mention using the Microsoft Store to install the launcher so I would imagine that there is something else wrong with the store. Can you think of any other methods to test this? Maybe making another account on my hardware?

11 minutes ago, MKDB said:

Are there any open problems regarding your malware problem @Nicoretro?

And surprisingly no, but I ran a daily Malwarebytes scan and found a "Neshta.Virus.FileInfector.DDS" somewhere in my Temp files. This was surprising to me because I had not downloaded any new software to my knowledge that would produce a file like that intentionally, or obviously I should say. I have only installed a parental control client for personal reasons but I find it hard to believe it was the source of the virus that was produced. Either way, I quarantined the threat and deleted it immediately. Other than that, I believe all my problems are solved regarding malware. I appreciate your help, MKDB!

Link to post
Share on other sites

@Nicoretro

You can create a new user account and test Microsoft Store there, but I doubt that it will work.

"Neshta.Virus.FileInfector.DDS" doesn't sound good, but "DDS" is a generic detection... maybe it isn't a fileinfector (hard to delete).

 

Let's try ESET again as well as KVRT.

 

 

 

Step 1

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe".
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes.
  • When prompted for scan type, Click on Full scan
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.  (e.g. their standard program). You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  (in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

Step 2

Download Kaspersky Virus Removal Tool (KVRT) and save it to your Desktop.

  • Select the Windows Key and R Key together, the Run box should open.
  • Copy and paste the following string into the line:

C:\Users\nicho\Desktop\KVRT.exe -dontencrypt

  • Select „Ok“ in the Run box.
  • If the „Windows protected your PC“ window opens, select „More info“. A new windows will open, select „Run anyway“.
  • An EULA window from KVRT will open, tick all confirmation boxes then select "Accept".
  • A window from KVRT will open, select "Change Parameters".
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.
  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

C:\KVRT2020_Data\Reports\report_<data>_<time>.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply.

 

Link to post
Share on other sites

Hi,
I was able to do both of your scans, and I have some news on the Microsoft Store problem.
Regarding the microsoft store, I was able to successfully download a different application from the store, meaning it should work fine now. The Minecraft Launcher was having trouble last night when I got home but this morning it seemed to have installed itself over night and it works fine now. I don't want to call it too early but I would say it looks like a closed book on my system. Here are the files you wanted. If I created them incorrectly please let me know, and I will rectify it :)

ESET.txt report_2023.10.28_15.07.28.txt

  • Thanks 1
Link to post
Share on other sites

@Nicoretro

Awesome! 😉

Thanks for your feedback, both logfiles came back clean (ESET only detected some entries that we already moved with FRST - all that will be cleaned with KpRm).

 

 

Thank you for your cooperation. You can use KpRm to remove FRST and other tools.

 

Please download KpRm by kernel-panik and save it to your desktop.

  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, select Delete Tools under Actions.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

 

 

 

A few final recommendations:

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

https://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-your-system-gets-infected/

  1. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes.

 

 

Link to post
Share on other sites

@Nicoretro

Indeed, we removed the malware with the first FRST fix.

As this malware is known to misuse/damage windows services, I've repaired the damaged services by default ones (which usually works very well).

The detetion "Neshta.Virus.FileInfector.DDS" was probably a false positive by MBAM as ESET and KVRT detected nothing anymore.

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.