JS.Malscript!g1 detected and unsure if my computer is clean

[Mustang15]

Two days ago I clicked on what was supposed to be a link to a business's website on Yelp, and unfortunately it was a redirect that sent me to a malicious website. I stupidly had set javascript to run on Chrome since I had not considered the possibility of how easy a website could be hijacked and set to redirect. My antivirus, Norton, caught a file named "f_00225d" that had been downloaded to the cache of Chrome which is labeled as JS.Malscript!g1, but there was a delay before the file was detected and quarantined (I have included an image of the detection history by Norton for that file). I have run many scans (Norton 360, Norton Power Erasure, Malwarebytes Premium, Kaspersky, and ESET Antivirus) to make sure the virus did not make any addition changes or bury itself somewhere in my computer, and while everything comes back clean, I still have a sense of unease.

I also noticed some odd behaviors since then, including the creation of three suspicious files in the System32 folder (which I have attached as an image) within an hour of the detection by Norton, and then today, svchost.exe (located in the System32 folder) wrote 119 MB onto the disk, and then 7 minutes later, MSIEXEC.exe repeatedly attempted to access Norton's files which it blocked. Additionally, an odd program called AcroServicesUpdater2_x64.exe attempted to access my network resources, and when I try to locate or scan the file, it doesn't even exist (I have included an image of that log as well).

I know I may just be interpreting all of these behaviors as odd due to the virus detection putting me on edge, but I want to make absolutely sure my computer is clean. I have attached the log for my Malwarebytes Premium scan, and I have attached the two logs from Farbar Recovery Scan Tool. I hope this is just my paranoia acting up, but if there is something wrong, I hope you will be able to guide me through how to fix it. Thank you for your time and help!

 

Edited January 7 by AdvancedSetup
Log removed per request

[AdvancedSetup]

Hello @Mustang15 and

 

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
• Please follow all steps in the provided order and post back all requested logs.
• Please attach all log files to your post, unless otherwise requested.
• Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup of all private data.
• Do not run online games while your case is ongoing. Do not do any free-wheeling of risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you unless requested.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. 
  If there are any on the system you should uninstall them before we proceed.  
• If your system is running Discord, or P2P Torrent software, please be sure to Exit out of it while this case is on-going.

Do these two steps so that ALL Folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.

Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/
 

• Next, please restart Windows

• Please be patient and stick with me until I give you the "all clear" or otherwise indicate all is good

 

 

Please run the following scanner.

Please perform the following so that I may more accurately assess what threats may remain in your system:

• Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
• Important - Save it to your Desktop
• Right Click CKScanner.exe and select, Run as administrator
• Give permission if necessary, and click Search For Files
• After a very short time, when the cursor hourglass disappears, click Save List To File
• A message box will verify that the file was saved. Please run the program only once
• Attach the CKFiles.txt file on your desktop to your next reply

 

 

Then run the following scanner from Microsoft

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

[Mustang15]

Thank you for the welcome AdvancedSetup, and I really appreciate you taking the time to help doublecheck if my computer is clean!

Using your directions, I performed the following actions: I set all folders and files to show, I turned off Windows fast start, I restarted my computer, and I ran CKScanner and then Microsoft Safety Scanner. I have attached the logs from the two scans to this reply.

Hopefully the logs show that my computer is clean, and I look forward to your response. Thanks for your help!

ckfiles.txt msert.log

[AdvancedSetup]

The Microsoft scanner found one issue and corrected it.

Let's go ahead and have you run another scanner just to make sure.

 

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[Mustang15]

I followed the instructions and have attached the log generated by Kaspersky.

I did have something odd happen when I tried to open the report. File Explorer would not let me open the Reports folder after the scan was finished (I double-clicked on it and nothing happened, and trying to manually type in the folder name into File Explore did not do anything either), and I was forced to restart my computer to gain access to the folder. I don't if that was just a glitch, but it seemed odd.

Thanks again for your help AdvancedSetup, and I look forward to your reply!

 

Edited January 7 by AdvancedSetup
Log removed per request

[AdvancedSetup]

Thank you @Mustang15

It shows it found nothing. Let me have you run another scanner to double-check that one.

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

• The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
• Close all open applications and locate the downloaded file and double-click to run it
• The program will take a moment to launch and bring up the License and Update screen
• Place a check mark to agree to the terms and then click on the Continue button
• Click the underlined link Select objects for scanning
• On the top left click the Scanning objects that should automatically check all objects
• Click the small wrench and make sure there is a check on Automatically apply actions to threats
• Then click the large button on bottom right Start scanning
• Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
• The log is saved in the folder named Doctor Web in the top of your user profile folders
• Please attach that log on your next reply

 

 

 

[Mustang15]

I followed your instructions and have attached the log from the Dr. Web CureIt! scan. Thanks for your help and I look forward to your reply!

 

Edited January 7 by AdvancedSetup
Log removed per request

[AdvancedSetup]

No infection found.

Let's do one last scan, but so fare two well known 3rd party AV scanners along with our scanner have not found an issue.

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

[Mustang15]

I have tried to run the Microsoft Safety Scanner twice today by turning on my computer, running the scan, and then walking away, but when I come back (about three hours later), it appears it got stuck. I will try it again a third time and hopefully it will not get stuck again, and I will post my log at that time. Thanks for your patience AdvancedSetup!

[Mustang15]

I ran a quick scan on Microsoft Safety Scanner, and it said no infection was found, and I am now about to run the full scan. I will post the log as soon as I can, thanks!

[Mustang15]

I don't know what changed, but I cannot seem to complete a full scan using Microsoft Safety Scanner like I did a few days ago. It continues to get stuck near the very end of the scan, and I am unsure how to fix the issue. Any advice or guidance you can provide me is greatly appreciated AdvancedSetup!

[AdvancedSetup]

Hmmm, well, that's not good.

Please try the following and I'll check back on you tomorrow

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

[Mustang15]

I ran the ESET Online Scanner before I made my initial post here and it successfully scanned my computer and said there were no threats, but now when I try to run it today, the program just closes after a very short time, as if something is killing the process. It is not my antivirus since it is not giving me any kind of notification or alert, plus the scan worked a few days ago. I'm getting worried now since I can't tell if my computer is just acting up or if the initial virus did more damage than I realized. I have not downloaded anything else aside from the scanners you have posted here during the last few days, and my web browsing has been limited to this forum and to the download sites.

At this point what should I do? Please let me know and I look forward to your reply AdvancedSetup!

[Mustang15]

AdvancedSetup, could the app be crashing since I already used my one-time scan? I looked further into the issue, and I noticed on the website that you are allowed one free scan, but I used that before I posted here, so I may have accidentally caused this issue myself. Hopefully that information is useful and will help you decide what to do next.

[AdvancedSetup]

I doubt it, but that's okay there are other scanners we can try.

 

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

• If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
• Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

• Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

• Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

• The Virus Removal Tool scans the following areas of your computer:
• Memory, including system memory on 32-bit (x86) versions of Windows
• The Windows registry
• All local hard drives, fixed and removable
• Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks