Jump to content

Recommended Posts

Hello! I'm a little stressed and writing this on mobile so please excuse any formatting errors.

Two or so days ago I downloaded a file I believed to contain a cracked ROM, it had an exe file that I ran. I know it was stupid even after I did it but I just deleted the files and thought nothing of it.

Today I woke up to find out that two of my accounts had been compromised. I have since reset the passwords and put in more security measures. I decided to buy the premium plan for Malwarebytes as well.

Every few minutes, Malwarebytes gives me a pop-up saying it has blocked a site from being accessed. It also says it's connected to "explorer.exe" located in the SysWOW64 folder. The url that is associated with this malware implies that it is the Amadey trojan, so I have turned off and unplugged my computer.

I asked on a tech support Discord server for advice and they told me the best thing to do is to do a full system wipe. I am ready to do this if I must, but I saw someone else who had the exact same issue as myself (the topic is still open). Is there anything I can do? I'm scared of turning on my computer and infecting more things. I also worry that I can't use flash drives as I might infect them too.

I have added a screenshot I took of the pop-up I got. I also have the report saved as a txt. Any advice would be much appreciated. I do not have any backups of my data, nor do I have any logs I can share right now. I do not know if turning on my PC is safe as I have already had to deal with two accounts being compromised. Thank you for your time.

image-2.png

report.txt

Link to post
Share on other sites

@CristalViper

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case.

 

Thank you

Link to post
Share on other sites

Just now, CristalViper said:

But no one has let me know if it's safe or not...

It is your choice. we can't know if it is safe for you to run the PC or not.

3 hours ago, CristalViper said:

Every few minutes, Malwarebytes gives me a pop-up saying it has blocked a site from being accessed. It also says it's connected to "explorer.exe" located in the SysWOW64 folder. The url that is associated with this malware implies that it is the Amadey trojan

Malwarebytes is blocking the communication to that server which is a good thing.

Link to post
Share on other sites

Hi, just wanted to post an update - I'm still happy to do any scans you suggest! But right now things seem to be okay? I actually updated Malwarebytes yesterday like the forum post said, and I haven't gotten any pop-up notifications since. It would definitely be a crazy coincidence that two of my accounts got compromised overnight, AND I find out I might have malware, but... everything has been okay for now. I've used the built-in Windows 11 scanner as well as Malwarebytes and Kaspersky VRT and neither of the programs found any issues. I'm hoping it really was just a false positive and that my accounts being compromised happened because of my poor passwords. Still, any advice is appreciated, if you think I should do more scans, etc. Thanks!

Link to post
Share on other sites

  • Root Admin

Hello @CristalViper

Some of the logs were not complete. Please go ahead and run the following

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

I'll attach the KVRT log once the scan completes, it looks like it's going to take a few hours. Yesterday I changed the Malwarebytes settings to also scan for the rootkit, and it actually did find a trojan that time. I've quarantined and removed it. I've done a full scan with the built-in windows tool as well as done a few more with Malwarebytes and there haven't been any issues since, so I hope it's resolved.

Link to post
Share on other sites

  • Root Admin

That is the correct log. It says it found no threats.

Let me have you get me the following logs

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

 

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


 

Link to post
Share on other sites

  • Root Admin

 

Please uninstall, update, or otherwise address the following as appropriate for your computer

 

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.6.23 Warning! (Computer experts no longer recommend this program. Recommend you uninstall it)


Then RESTART the computer and check for Windows Updates and install any updates found.


If Windows Updates don't work, please let me know

Thanks

 

Link to post
Share on other sites

  • Root Admin

Excellent, glad to hear all is well again. I'll go ahead and close your topic now and wish you well.

Please follow the directions below to remove the logs and tools we've used. If any are still left after that you can manually uninstall or delete them.

Take care and stay safe out there. Try to follow as much of the advise below as you can as well.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt. You can close it.

 

We're glad that we were able to assist you.

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/780233/best-password-manager/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.