Jump to content

Another 172.111.239.90 Help please.


Go to solution Solved by MKDB,

Recommended Posts

Hi support,

I have this dreaded 172.111.239.90 CMD.exe malware.

I have run a full scan as well and also FRST64 and ADWCleaner.

Logs are attached.

Would really appreciate help!

Also this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 1/20/24
Scan Time: 1:08 AM
Log File: 0335098a-b728-11ee-9ef9-d85ed35748c6.json

-Software Information-
Version: 4.6.8.311
Components Version: 1.0.2242
Update Package Version: 1.0.79832
License: Trial

-System Information-
OS: Windows 11 (Build 22631.3007)
CPU: x64
File System: NTFS
User: Errols-PC\errol

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 342516
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 3 min, 31 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
RiskWare.VulnerableDriver, C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\ROAMING\GOOGLE\LIBS\WR64.SYS, Quarantined, 12329, 1212056, 1.0.79832, , ame, , 516B1BFF39ABEFF2EE8840956F20AEB3, E5695DD03BB59EEF9E58528F1CD4CF0A796DA8D0ED9D24140BD845E5F4244A5B

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

MB Scan 20012024.txtFRST.txt

 

 

Link to post
Share on other sites

And this:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 1/20/24
Protection Event Time: 1:48 AM
Log File: 997341dc-b72d-11ee-9f8a-d85ed35748c6.json

-Software Information-
Version: 4.6.8.311
Components Version: 1.0.2242
Update Package Version: 1.0.79832
License: Trial

-System Information-
OS: Windows 11 (Build 22631.3007)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Phishing
Domain: cloudfilt.com
IP Address: 51.222.108.20
Port: 443
Type: Outbound
File: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

(end)

Link to post
Share on other sites

Hello @skankehmonkeh  and  :welcome:

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow the steps in the given order and post back the log files.
  • Please attach all log files into your post.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
  • If you do not respond within 4 days, your topic will be closed.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

Please give me some time to review what you have posted.

Thank you!

Link to post
Share on other sites

  • Solution

@skankehmonkeh

We will use FRST to run a fix.

Please be patient and do not interfere. This fix may take some minutes.

Thank you.

 

 

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( R:\Downloads\Utilities\Security\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the FIX button only once and wait.
  • Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
  • Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
  • Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt

Link to post
Share on other sites

@skankehmonkeh

Thank you for the fixlog.

 

Are there still any notifications regarding CMD?

 

I would like you to run a fresh FRST scan as well as SecurityCheck to check the results.

 

 

1️⃣

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

2️⃣

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Link to post
Share on other sites

@skankehmonkeh

You should update some programs (if your still need them) or uninstall them (if you don't need them anymore) or otherwise address them:

PuTTY release 0.78 (64-bit) v.0.78.0.0 Warning! Download Update
calibre 64bit v.6.29.0 Warning! Download Update
PuTTY release 0.79 (64-bit) v.0.79.0.0 Warning! Download Update
WinSCP 5.21.6 v.5.21.6 Warning! Download Update
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
WinRAR 6.11 (64-bit) v.6.11.0 Warning! Download Update
GIMP 2.10.30 v.2.10.30 Warning! Download Update
Discord v.1.0.9003 Warning! Download Update
Microsoft Teams v.1.5.00.9163 Warning! Download Update
Zoom v.5.8.7 (2058) Warning! Download Update
BiglyBT v.3.2.0.0 Warning! Download Update
iTunes v.12.13.0.9 Warning! Download Update
^Please use Apple Software Update tool.^
foobar2000 v2.0 v.2.0 Warning! Download Update
HandBrake 1.5.1 v.1.5.1 Warning! Download Update

Driver Booster for Steam Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
Bonjour v.3.1.0.1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

 

 

 

Thank you for your cooperation. You can use KpRm to remove FRST and other tools.

 

Please download KpRm by kernel-panik and save it to your desktop.

  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, select Delete Tools under Actions.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log may open in Notepad titled kprm-(date).txt.  I do not need it. Just close Notepad if it shows up.

 

A few final recommendations can be found here:

https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/

 

Further reading if you like to keep up on the malware threat scene:

Malwarebytes Blog  https://blog.malwarebytes.com/

 

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes.

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection.

Thank you.

 

As this topic seems to be solved, I do not follow it any longer.

Take care!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.