Jump to content

I FOUND A MALWARE


Recommended Posts

hi I'm having a dumb move when installing a game that i downloaded from archive.org. while installing it,the cmd appears requesting for permission allowing this app.when i click yes,nothing happens no apps installed then when i restart my pc cmd keeps appearing when i click no. the 2nd pic is the game i was installing. can anyone pls help me.20240109_102218.thumb.jpg.852328b24821ff817b3bcf14b6216e18.jpg

Screenshot_20240109_110351_UC Browser.jpg

Link to post
Share on other sites

  • Root Admin

Hello @jtym000

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

Malwarebytes AdwCleaner

Let's do a special run of Malwarebytes AdwCleaner to help prepare the computer to be able to run other scanning software that may be blocked

Please read all the information below before starting so that you have a good understanding of the process.
Take your time and be careful. Make sure you select all of the listed items below - before- pressing the scan button.
 
  • Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
  • Here is another link to download if the link above does not work:  Malwarebytes AdwCleaner alternative link
  • Locate the program where you downloaded it. Double-click to start AdwCleaner.  Do not rush. There are a few choices to set as listed below.
  • Malwarebytes AdwCleaner guide
  • Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.
  • Accept the End User License Agreement.
  • Wait until the database is updated. Do Not click on anything yet.
 
When AdwCleaner starts, on the left side panel of the window, click on Settings and enable these repair actions on the Application tab
Clicking their button to the far-right will enable the ON status
 
  • Delete IFEO keys
  • Delete tracing keys
  • Delete Prefetch files
  • Reset Proxy
  • Reset Chrome policies
  • Reset IE Policies
  • Reset Winsock
  • Reset Hosts file (If you're not having any issues accessing security or other websites you can uncheck this item)

 

image.png.a06f1c3da463f5f1a4d071a910ff71

 

ONLY after you have set the selections above ....only after that .....
Now On the left side of the AdwCleaner window, click on the Dashboard panel and then click the Scan button to perform a computer scan.
 
image.png.7a0c726e4d63978cfe4d95bca514c7
 
  • DO NOT uninstall or remove the Preinstalled software if found. Uncheck any items listed for Preinstalled
  • When finished, if items are found please click Quarantine to finish the cleaning process.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach that log to your next reply. You can also open the Log Files panel to locate.
  • This can take several minutes to complete, please be patient.
  • When the AdwCleaner scan is completed it will display all of the items it has found. Click on the Quarantine button To remove what it found.
  • AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean.
  • Click on the Continue button to finish the removal process.
  • If No Detections are found, Click the Basic Repair button to have it reset the checked items above.


[ 3 ] 

Malwarebytes for Windows

  • If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
  • After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
  • If you don't have Malwarebytes installed yet, please download it from here or alternative link and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed, make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

 

View Reports and History in Malwarebytes for Windows v4
https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

Malwarebytes for Windows v4 guide
https://support.malwarebytes.com/hc/en-us/articles/360038984693-Malwarebytes-for-Windows-v4-guide

 

RESTART THE COMPUTER Before running Step 4

[ 4 ]

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe
  • After renaming the file right-click over FRSTEnglish.exe and select "Run as administrator"
  • When the tool opens click Yes to the disclaimer
  • Make sure there is a check mark in the Addition.txt check box
  • Press the Scan button.
  • It will make a log FRST.txt and Addition.txt in the same directory the tool is run from. Please attach both logs to your next reply.

 

 

Thank you

 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

 

 

 

Link to post
Share on other sites

  • Root Admin

Great, quite a bit of cleaning there.

Please RESTART the computer.

Then run the following

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

Link to post
Share on other sites

after this tutorial and if this will succesful,can i uninstalled all mb softwares?? and enable windows antivirus?? I've save already the softwares in my flash drive since im downloaded it to my phone and transfer them to my pc. (im just scared to download them in my infected pc.😅)TIA.👍👍👍👍

Link to post
Share on other sites

  • Root Admin

Thank you for the log. It did find and remove a few items.

Please go ahead and run this other scanner as well

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

  • Root Admin

Okay, let's run a different one

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

The scan found and removed an object

<Report>
    <Metadata Version="1" PCID="{33FD721B-8003-80CE-D0A3-3AFE93B92968}" LastModification="2024.01.11 18:19:10.289" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="662540" Found="1" Neutralized="1">
            <Event0 Action="Scan" Time="133494396595695614" Object="" Info="Started" />
            <Event1 Action="Detect" Time="133494408071472100" Object="C:\Users\Admin\AppData\Roaming\XgdED.cmd" Info="HEUR:Trojan.BAT.Agent.gen" />
            <Event2 Action="Scan" Time="133494418211240290" Object="" Info="Finished" />
            <Event3 Action="Select action" Time="133494419500085607" Object="C:\Users\Admin\AppData\Roaming\XgdED.cmd" Info="Delete" />
            <Event4 Action="Disinfection" Time="133494419500085607" Object="" Info="Started" />
            <Event5 Action="Quarantined" Time="133494419500195716" Object="C:\Users\Admin\AppData\Roaming\XgdED.cmd" Info="" />

            <Event6 Action="Deleted" Time="133494419500195716" Object="C:\Users\Admin\AppData\Roaming\XgdED.cmd" Info="" />
            <Event7 Action="Disinfection" Time="133494419502738201" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report>

 

 

Please run the following

 

SecurityCheck by glax24              


I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.
CheckSecurity is a utility for quickly checking for the presence of vulnerable applications

  • Temporarily disable Microsoft SmartScreen to download the software
  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • This tool is safe.   Smartscreen is overly sensitive. You can check the VirusTotal scan of the tool from here
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheckC:\SecurityCheck\SecurityCheck.txt

Items checked:

  1. User Account Control (UAC).
  2. Service pack.
  3. IE version.
  4. Automatic OS update. Sets of critical KB patches when updating is disabled.
  5. Antivirus, firewall, other security utilities.
  6. Versions of Java, Oracle Virtualbox.
  7. Version of Adobe Flash Player, Adobe AIR.
  8. Versions of Adobe Reader, Acrobat Reader DC, Foxit Reader.
  9. Versions of media players (iTunes, AIMP, foobar2000).
  10. Versions of messengers (Skype, Pidgin).
  11. Versions of installed browsers (Chrome, Opera, Firefox, Yandex, SeaMonkey).
  12. Versions of mail programs (The Bat, Thunderbird).
  13. Checking running processes and security program services
  14. Searching for installed Adware programs and optimizer programs (More than 5000).

Thank you

 

Link to post
Share on other sites

  • Root Admin

Please update the following

 

Then RESTART the computer and check for Windows Updates and install any security updates found

 

Then let me know if there are still any signs of infection or other unresolved issues

 

Link to post
Share on other sites

all softwares listed are up-to date.

yes, no signs of infection after the last software you suggest here to run on my pc.

also i deleted the games that has a cracked file. 

except malwarebytes detected my kms renewal setup for my win10 pro os.(im just poor cant afford a licensed one.😅)

Link to post
Share on other sites

  • Root Admin

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.