i6cvs Posted July 3 ID:1646643 Share Posted July 3 From 2 days I installed 2 apps called: SageThumbs and WinThumbsPreloader ( I deleted them now), after that all browsers(brave, Chrome, and Edge except Opera) were hijacked so when I search for anything it sends a request to bimq.co, and redirect to the search google. after some search for fixes, the malware added some policies to browsers in registry, I made a scan with Malwarebytes deleted everything restarted pc and still, the hijack still working, I don't know what the source is. I read other posts but most files are unavailable and may be different methods. (this photo from procmon tried to detect what adds that key hoping to find something) Link to post Share on other sites More sharing options...
Porthos Posted July 3 ID:1646646 Share Posted July 3 @i6cvs Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following. Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware. Please respond to all future instructions from your helper in a timely manner. Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: Please pay close attention the the instructions in all of the following links. If you have not done so already - Enable System Protection and create a NEW System Restore Point <<<<< Important. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup <<<<< Important. Show-Hidden-Folders-Files-Extensions Please run the following scans: Please pay close attention the the instructions in all of the following links. Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer <<<<< Important. Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Then be patient for the next expert to take your case. <<<<< Important. Thank you Link to post Share on other sites More sharing options...
MKDB Posted July 3 ID:1646648 Share Posted July 3 Hello @i6cvs and My name is MKDB and I will assist you. Let's keep these principles as we proceed. Make sure to read the entire post below first. Please follow the steps in the given order and post back the log files. Please attach all log files into your post. Before we start, please make sure that you have an external backup, not connected to this system, of all private data. Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. As English is not my native language, please do not use slang or idioms. It may be hard for me to understand. If you do not respond within 4 days, your topic will be closed. Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure. Please attach the requested logfiles from AdwCleaner, Malwarebytes and Farbar Recovery Scan Tool and we will be happy to help you! Thank you! Link to post Share on other sites More sharing options...
i6cvs Posted July 3 Author ID:1646669 Share Posted July 3 1 hour ago, MKDB said: Hello @i6cvs and My name is MKDB and I will assist you. Let's keep these principles as we proceed. Make sure to read the entire post below first. Please follow the steps in the given order and post back the log files. Please attach all log files into your post. Before we start, please make sure that you have an external backup, not connected to this system, of all private data. Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you. As English is not my native language, please do not use slang or idioms. It may be hard for me to understand. If you do not respond within 4 days, your topic will be closed. Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure. Please attach the requested logfiles from AdwCleaner, Malwarebytes and Farbar Recovery Scan Tool and we will be happy to help you! Thank you! I had a KMs crack but I deleted it now with the Malwarebytes scan here are the logs: AdwCleaner[C00].txtMalwarebytes Scan Report 2024-07-03 132006.txtFRST.txtAddition.txt 1 Link to post Share on other sites More sharing options...
Solution MKDB Posted July 3 Solution ID:1646688 Share Posted July 3 @i6cvs First of all, remove the whole folder of this monero crap: Name: Trojan:Win32/Conteban.A!ml Severity: Severe Category: Trojan Path: file:_C:\Users\A\Downloads\Compressed\monero-gui-win-x64-v0.18.3.2\monero-gui-v0.18.3.2\extras\monero-blockchain-prune-known-spent-data.exe After that, will use FRST to run a fix. Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\A\Downloads\Programs\ ). Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. Close all open programs and save your work. Run FRST again. Press the FIX button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about. Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code. Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request. If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart. FRST will create one log now (Fixlog.txt) in the same directory the tool is run. Please attach this logfile to your next reply. fixlist.txt Link to post Share on other sites More sharing options...
i6cvs Posted July 3 Author ID:1646710 Share Posted July 3 1 hour ago, MKDB said: @i6cvs First of all, remove the whole folder of this monero crap: Name: Trojan:Win32/Conteban.A!ml Severity: Severe Category: Trojan Path: file:_C:\Users\A\Downloads\Compressed\monero-gui-win-x64-v0.18.3.2\monero-gui-v0.18.3.2\extras\monero-blockchain-prune-known-spent-data.exe After that, will use FRST to run a fix. Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\A\Downloads\Programs\ ). Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. Close all open programs and save your work. Run FRST again. Press the FIX button only once and wait. Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about. Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and may result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code. Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request. If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart. FRST will create one log now (Fixlog.txt) in the same directory the tool is run. Please attach this logfile to your next reply. fixlist.txt 5.81 kB · 1 download Thanks for noticing me about that monero thing! Also FRST finished everything and restarted PC, I don't know whether I need to run it again or no? anyways the fixlist file disappeared and here is the Fixlog.txt: Fixlog.txt Link to post Share on other sites More sharing options...
MKDB Posted July 3 ID:1646729 Share Posted July 3 @i6cvs You did a very good job! How is your system running? Link to post Share on other sites More sharing options...
MKDB Posted July 3 ID:1646730 Share Posted July 3 @i6cvs Please run a fresh scan with FRST to check the results and let me know how things are going now. Run FRST again. Do not change any settings. Press the Scan button. FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run. Please attach these logfiles to your next reply. 1 Link to post Share on other sites More sharing options...
i6cvs Posted July 3 Author ID:1646731 Share Posted July 3 Now after trying the browsers I guess the solution is solved it doesn't do any bimq hijack and after all those temp files are deleted the PC running more smoothly. Thousands of thanks, fam! I have 2 questions actually, curious and interested to know them: first, did you read all the addition.txt files to see the Monero program? or you use some tool to analyze that? second, how did you make the fixlist thing I really want to know that. 1 Link to post Share on other sites More sharing options...
MKDB Posted July 3 ID:1646739 Share Posted July 3 (edited) @i6cvs Thanks for your fast feedback. I'm happy that we were able to solve your problems. Here are my answers: 12 minutes ago, i6cvs said: first, did you read all the addition.txt files to see the Monero program? or you use some tool to analyze that? second, how did you make the fixlist thing I really want to know that. First: Windows Defender detected the monero program as malware and FRST lists the detection history of Windows Defender, so it was easy to combine. Second: A long answer is not possible here. This would go beyond the scope. I will give you a short one. But I hope this answer is ok for you: Thanks to two training courses (which took me 6-9 month for each of them) in the area of malware removal, I can usually identify harmful entries very quickly and can then include them into a fix for FRST. In a certain way, analyzing log files also has a lot to do with experience. I've been helping users for more than 12 years now... on three different forums. Next, please download and run SecurityCheck from this link: https://www.majorgeeks.com/files/details/securitycheck_f5a9.html Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow it to run Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Finally, don't forget fresh scan logfiles from FRST like asked here: Thanks again! Edited July 3 by MKDB 1 Link to post Share on other sites More sharing options...
i6cvs Posted July 3 Author ID:1646741 Share Posted July 3 3 minutes ago, MKDB said: @i6cvs Thanks for your fast feedback. I'm happy that we were able to solve your problems. Here are my answers: First: Windows Defender detected the monero program as malware and FRST lists the detection history of Windows Defender, so it was easy to combine. Second: A short, simple answer is not possible here. This would go beyond the scope. But I hope this answer is ok for you: Thanks to two training courses (which took me 6-9 month for each of them) in the area of malware removal, I can usually identify harmful entries very quickly and can then include them into a fix for FRST. In a certain way, analyzing log files also has a lot to do with experience. I've been helping users for more than 12 years now... on three different forums. Next, please download and run SecurityCheck from this link: https://www.majorgeeks.com/files/details/securitycheck_f5a9.html Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow it to run Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Finally, don't forget fresh scan logfiles from FRST like asked here: Thanks again! Wow, you are doing really great Job. And I am really interested to be like you in that work. Thanks again! here are the logs:FRST.txtAddition.txtSecurityCheck.txt Link to post Share on other sites More sharing options...
MKDB Posted July 3 ID:1646747 Share Posted July 3 @i6cvs Thank you very much for your kind words. You should update some programs (if your still need them) or uninstall them (if you don't need them anymore): WinRAR 5.21 (32-bit) v.5.21.0 Warning! Download Update Adobe Acrobat (64-bit) v.24.002.20895 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat DC. Adobe Flash Player 11 Plugin v.11.1.102.55 Warning! This software is no longer supported. Please uninstall it JDownloader 2 v.2.0.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!! Thank you for your cooperation. You can use KpRm to remove FRST and other tools. Please download KpRm by kernel-panik and save it to your desktop. Right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, select Delete Tools under Actions. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log may open in Notepad titled kprm-(date).txt. I do not need it. Just close Notepad if it shows up. A few final recommendations can be found here: Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes. Link to post Share on other sites More sharing options...
i6cvs Posted July 3 Author ID:1646750 Share Posted July 3 5 minutes ago, MKDB said: @i6cvs Thank you very much for your kind words. You should update some programs (if your still need them) or uninstall them (if you don't need them anymore): WinRAR 5.21 (32-bit) v.5.21.0 Warning! Download Update Adobe Acrobat (64-bit) v.24.002.20895 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat DC. Adobe Flash Player 11 Plugin v.11.1.102.55 Warning! This software is no longer supported. Please uninstall it JDownloader 2 v.2.0.1 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!! Thank you for your cooperation. You can use KpRm to remove FRST and other tools. Please download KpRm by kernel-panik and save it to your desktop. Right-click kprm_(version).exe and select Run as Administrator. Read and accept the disclaimer. When the tool opens, select Delete Tools under Actions. Under Delete Quarantines select Delete Now, then click Run. Once complete, click OK. A log may open in Notepad titled kprm-(date).txt. I do not need it. Just close Notepad if it shows up. A few final recommendations can be found here: Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes. Thanks for that! I will do all of these, you really helped me a lot. 1 Link to post Share on other sites More sharing options...
MKDB Posted July 3 ID:1646751 Share Posted July 3 @i6cvs You're welcome! Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection. Thank you. As this topic seems to be solved, I do not follow it any longer. Take care! Link to post Share on other sites More sharing options...
Recommended Posts