Jump to content

Removing malware after downloaded .zip file.

Caleb_Westerhout
 Share

Recommended Posts

Caleb_Westerhout

Caleb_Westerhout

Posted
Posted

I received a message from a trusted user of the online platform Discord with a phishing link to a game download they wanted me to review. I stupidly downloaded it and unzipped it, and lost several of my accounts. I have since recovered all the associated accounts, but Malwarebytes comes up empty when I do full all-drive scans including for rootkits, and I'm afraid that the malware is still in my device somewhere.

I've scoured my files on all drives for anything modified during the initial attack or immediately after for any .exe, .jar, or .node files that I did not recognize, as well as any files in the key registry and pretty much everything that isn't inside of a Windows folder. 

I do not want to run a system wipe and reinstall of the OS, as I have text documents and hours of recordings that are unique and not backed up on any other devices.

My computer is running Windows 10, and I can launch it in Safe Mode without any issues. It starts and shuts down without problems, and all attempts at fraud on the initially affected accounts have ceased.

Any assistance on how to ensure my computer is fully safe without wiping the drives would be greatly appreciated.

 

Thank you,

Caleb

Link to post
Share on other sites
Porthos

Porthos

Posted
Posted

@Caleb_Westerhout

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point  <<<<< Important.
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup <<<<< Important.
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes
       RESTART the computer <<<<< Important.
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case. <<<<< Important.

 

Thank you

Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

I followed the instructions you gave in the order you gave them. I enabled system protect and created a system restore point. I disabled Fast Startup, and my hidden files have already been set to show. I installed and scanned with AdwCleaner, following the instructions at the link you sent. I then scanned with Malwarebytes following the instructions at the link you sent. I then shut down my PC, allowing it 30 seconds of rest, before starting it up again. It started with no issue. I then installed Farbar Recovery Scan Tool and ran it, temporarily disabling Microsoft Safescreen to allow the program to run. I reenabled it once the program was complete. I ran Farbar according to the instructions given at the link you sent. I have attached all the log files the programs created to this reply.

I will await further instruction.

 

Thank you,

Caleb.

AdwCleaner[S00].txt Malwarebytes Scan Report 2024-08-12 172702.txt FRST.txt Addition.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you for the logs @Caleb_Westerhout

The following is an old version of Java. Unless you are writing code to support an old version of Java, I would recommend that you uninstall it.

  • Java(TM) SE Development Kit 17.0.3.1 (64-bit)

 

 

Are you using Microsoft Teams? The version installer is very old

 

Please run the following AV scan for me

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Great, that looks good. Thank you for the log @Caleb_Westerhout

Please get me new fresh scan logs

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

 

 

 

Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

I scanned using the programs provided, in the order requested. Farbar Service Scanner is causing issues with Windows Firewall, which I temporarily disabled. Whenever I reenable it, I get rampant alerts about a dangerous file. How should I deal with those errors, and how should I proceed from here?

 

Thank you,

Caleb.

SecurityCheck.txt FSS.txt FRST.txt Addition.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

The following drivers look to be missing or disabled.

 

==================== Faulty Device Manager Devices ============

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Digital Audio (S/PDIF) (High Definition Audio Device)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Digital Audio (S/PDIF) (High Definition Audio Device)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Caleb\Desktop\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Once the above fix has been completed, please check on the following @Caleb_Westerhout

 


Please Uninstall, Update, or otherwise address the following as appropriate for your computer.

 


Please Uninstall the following

---------------------------- [ UnwantedApps ] -----------------------------
Wondershare Helper Compact 2.6.0 v.2.6.0 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended.


Then RESTART the computer and check for Windows Updates and install any found

 

Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

I ran the fix, and it gave the three logs attached after it restarted. I updated the programs I deemed necessary from that list and uninstalled Wondershare Helper Compact, then restarted my PC again. I checked for Windows updates using the Windows Update Checker service, downloaded and installed the updates, and restarted my computer to apply them fully.

Is there anything else I should do, and is it safe to begin logging in to accounts on this computer again?

 

Thank you,

Caleb.

Fixlog.txt InstalledSoftwareFullList.txt Log-Clear-BrowserCache.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please download the following driver from Asus and install it.

https://www.asus.com/us/supportonly/rampage_iv_extreme/helpdesk_download/

image.png

Then RESTART the computer and get me a new fresh set of Farbar logs

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

FRST.TXT
ADDITION.TXT

 

Past midnight for me so I'll check back on you again tomorrow.

Thanks

 

 

Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

I had some difficulty installing the program, as it claimed the program already existed on my computer. I did what I could to remove it, but even when uninstalling the program with the option given by the installer, it still claimed the program was installed. I managed to get the program to install and update to what I assume is the version you required. I restarted my computer, then scanned with the Farbar Recovery Scan Tool. The logs are attached.

I'll talk to you tomorrow, then.
 

Thank you for your continued assistance,

Caleb.

FRST.txt Addition.txt

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted
On 8/12/2024 at 1:14 PM, Caleb_Westerhout said:

I received a message from a trusted user of the online platform Discord with a phishing link to a game download they wanted me to review. I stupidly downloaded it and unzipped

@Caleb_Westerhout

Do you still have the message such that we can know the site and malware?

This way we can make sure the site is blocked and the malware detected by MBAM.  If you can provide this information that would be very helpful.

Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

I still have access to the message, and I recall some details about the order of events. I will try to provide as much information as I can.

The message included a link to a Steam game called Dungeon of Destiny. The game appears as if it is in early access. The message requested that I launch the game and play it for a short period of time to give a review before the game launches. I trusted the individual that used to have the account, and so I inspected the steam game. Afterwards, a link to an external site (which should have been my clue) was sent to me and when I followed the link, there was an option to download a file. This file was a .zip locked by an admin password (which should have been hint number 2) which was provided to me as well. Upon downloading and unzipping the file and launching the .exe file, my computer shut off all programs except the executable, and I lost access to my Discord and Google accounts associated with this device. 

I have two screenshots from Discord that I have provided, as I am unsure if I should provide the links directly to the websites or not. I also included the password for the .zip file that I was sent. There is another screenshot that I can provide after I remove personal information from it that I received from a discord friend of mine after my account was hacked, if you would like to see the messages that lead up to the phishing attempt.

I also have a location provided by my Google accounts as to where the individual was when they took my information, somewhere in the country of Turkiye, as well as a Gmail address they contacted me at tin an attempt to extort money out of me for my account and information back. Should I provide the Gmail address as well?

 

Are there any further steps I should take to ensure the safety of my device and account?

 

Thank you for your work,

Caleb

Scamscreenshot1.png

Scamscreenshot2.png

Scamscreenshotpass.png

  • Thanks 1
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you for the new updated logs @Caleb_Westerhout

 

This was from your older ADDITION.TXT log file

 

==================== Faulty Device Manager Devices ============

Name: PCI Simple Communications Controller
Description: PCI Simple Communications Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: Digital Audio (S/PDIF) (High Definition Audio Device)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Digital Audio (S/PDIF) (High Definition Audio Device)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

 

 

The new logs shows those entries are not longer present which means the driver update seems to have corrected that issue

 

==================== Faulty Device Manager Devices ============

 

 

 

Since the computer was attacked with potentially taking data from you let's run a couple more AV scans and then finish up.

 

Please run the following AV scans

[ 1 ]

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

[ 2 ]

Let's go ahead and run a couple of scans and get some updated logs from your system.

Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

[ 2 ]

Microsoft Safety Scanner

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours to complete.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run and saved in the log.
  • The scan may take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware. )

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found and did.

 

Thank you

 

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted
57 minutes ago, Caleb_Westerhout said:

I still have access to the message, and I recall some details about the order of events. I will try to provide as much information as I can.

Thank you.  No other information is needed.

It seems to be self defined as the Fury Stealer.

RE:    Fake Game password and data stealer

 

  • Thanks 1
Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

Good afternoon.

I just want to confirm that I am going through the processes as outlined, and doing my best to be patient with them. I'm writing this from a different device so that my computer isn't bothered while it scans with Microsoft Safety Scanner. 

I wasn't able to start it until late last night, but it has been running for 12 hours now, still on Safe Boot with Networking to prevent any programs from interfering just in case. It seems to have made it around 20-25% of the way through my files if the progress bar is accurate. You certainly meant it when you said the scan will take many hours. It should be done in another 36-48 hours or so, if it continues at this rate, and I will have the logs ready for you then. I assume this is a normal rate?

I apologize for not being able to attach the logs from the Dr.Web scan yet. I'll have all logs to you as soon as the MSS scan is done.

 

Thank you for your support and patience,

Caleb

Link to post
Share on other sites
Caleb_Westerhout

Caleb_Westerhout

Posted
  • Author
Posted

The computer appears to be running perfectly fine. No other attempts have been made on any of the accounts associated with this computer, and I haven't received any other messages or emails from companies or the suspected individual. Everything seems to be good on my end

 

Thank you,

Caleb

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I would highly suggest you use a password manager like 1Password, Bitwarden, Keepass, etc. and change the passwords on your sites that you visit.

Make them strong passwords of at least 16 characters or more and enable 2FA - Two Factor Authentication if possible.

 

 

Excellent, glad to hear all is well again. I'll go ahead and close your topic now and wish you well.

Please follow the directions below to remove the logs and tools we've used. If any are still left after that you can manually uninstall or delete them.

Take care and stay safe out there. Try to follow as much of the advise below as you can as well.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt. You can close it.

 

We're glad that we were able to assist you.

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/780233/best-password-manager/
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.