Jump to content

please help idk how i got this


Recommended Posts

@SiiiK

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove pesky malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • image.png.79d4442a821713608fa60808a98c2e69.png
  • image.png.98d86a6c3017d2bbba48877ea4f6ba45.png
  • A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

    Then be patient for the next expert to take your case.

Thank you

Link to post
Share on other sites

  • Root Admin

Please do not self zip files into Rar unless requested.

 

Please run the following

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log @SiiiK

Total 12 files are infected
Total 12 files are neutralized

Please go ahead and run the following scan. Note that the canned message may not be 100% accurate but hopefully close enough that you can figure it out and complete the scan and post back the log.

 

 

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log. Not much found there.

 

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

image.png.ced4aa64af4718ab767f579cc39014

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

Then run the following

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Link to post
Share on other sites

  • Root Admin


Please uninstall, update, or otherwise address the following as appropriate for your computer.

  • BitComet 2.05 v.2.05 Warning! Ad-supported P2P-client.
  • Discord v.1.0.9032 Warning! Download Update

 

I would recommend that you consider uninstalling the following. Most computer experts do not recommend.

---------------------------- [ UnwantedApps ] -----------------------------
Advanced SystemCare v.17.0.1 Warning! Suspected demo version of anti-spyware, driver updater or optimizer.
Driver Booster 11 v.11.2.0 Warning! Suspected demo version of anti-spyware, driver updater or optimizer.
----------------------------- [ End of Log ] ------------------------------

 

Then RESTART the computer and check for Windows Updates and install any Security Updates found.

 

 

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

P2P File-Sharing: Know the Risks
https://www.bankinfosecurity.com/p2p-file-sharing-know-risks-a-737

 

Hidden risks in pirated software https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/
Why You Shouldn't Use Pirated Software (But Why People Still Do) https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

 

 

After restarting the computer and making the requested change in my last post. How is the computer running now? Are there still any signs of infections or any other unresolved issues at this time?

 

Link to post
Share on other sites

  • Root Admin

I think those are probably history that you've not clicked on to resolve

Please make a NEW System Restore Point and do the following

 

 

 

If you like we can try a new way by clearing all the history from Windows Defender manually.

Please do the following

Click on Start and type CMD.EXE and when it shows, right-click over it and select to "Run as administrator"

Then type the following and press the Enter key

MD  C:\ClearWD

Then open the File Explorer to that new folder and right click and select New -- >> Text Document

Then open it with Notepad. Then copy and paste the following into the blank document

@echo off
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory"
echo Current folder is: %CD%
rd /q /s "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*.log"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache*"
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db"
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db-wal"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Support"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Support\*.log"
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing*"
popd
pushd "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store"
echo Current folder is: %CD%
del /s /f /q "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\*"
popd
wevtutil cl "Microsoft-Windows-Windows Defender/Operational"
pause

Then save the document.

Then rename the extension from .TXT to .BAT

The file should now be called C:\ClearWD\ClearWDHistory.bat

Once that is set up restart the computer into the Recovery Environment

You can enter the Recovery Mode by copying and pasting the following into the command prompt

Make sure you save all open documents first and close all programs as the computer will restart.

shutdown /r /o

 

From the Recovery Mode select the COMMAND PROMPT

Normally it will open as X:

In most cases you simply need to type C: and press the Enter key to get to the C: drive.

Then you'd type CD ClearWD and press the Enter key

Then type ClearWDHistory.bat  and press the Enter key

That should run and clear out your Windows Defender History

Then restart into Normal Mode and wait about 5 minutes and then recheck Windows Defender

 

Let me know if you have any questions

 

 

Link to post
Share on other sites

  • Root Admin

You have a policy disabling the Firewall. That needs to be removed

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0

 

Setting the data in this parameter to 0 will disable firewall on the machine. To enable firewall you need to set the registry value to 1.

 

The Service dosvc (Delivery Optimization) appears to possibly have an issue which can prevent Windows Updates from happening

That needs to be working

 

Link to post
Share on other sites

  • Root Admin

That's good if you've set it now, but the log you ran said it was not set.

Please RESTART the computer and verify that it remains set to 1 and that the Firewall is enabled

image.png

 

image.png

 

Please open SERVICES.MSC and see if you're able to start and run the DoSvc  ( Delivery Optimization ) service.

Then check for Windows Updates and see if it runs and finds any updates

Let me know, please

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.