I allowed a trojan HELP

Status
Not open for further replies.

Trojanita

New Member
Jan 29, 2021
3
0
Hello all! i need your help please!

i brought it to myself, i downloaded a program from a site i didn't know, and it was a malware

once downloaded and extracted windows defender detected trojan Win32 Yamacco.AA2B as show in the picture (1) and the problem is i clicked "allow" by mistake then the other one picture(2) trojan win32 Tilevn.A got dettected, i don't remember what i did there since as you see windows says restored or removed from quarantine! then i deleted that program i downloaded, i tried runing it but it was blocked and it said that it contain a virus, so it wasn't instaled

i instaled malwarebytes, and started runnign a scan with it and with windows defender too, then defender detected the last one as shown in picture (3) trojan:html/phish!msr got detected and got blocked i clicked "remove" and went to the directory of the files infected it showed, and deleted them! so it was deleted but of course i allowed that one so i panicked!

Pictures:
i wanted to know if it's really gone and that's why i'm here

and i did many things, i instaled microsoft safety scanner, and did a full scan with it many times

did a full scan using windows defender too, and also windows deffender offline scan!

many scans with multiple programs, eset online, malwarebyte, hitman pro, zemana,

booted my pc on safe mode and did scan with malwarebyte again, none of them detected anything

went back to normal booting did also a boot clean and some other forms of cleaning, a sfr scann on the command prompt, cleaned the cache disabled the system restore

did a cleaning that delets the browser cache and stuff with CCleaner

i changed my emails passwords..

i don't remember what other things i also did 0 threat found, i suffer from generalized anxiety and this virus thing made me panick hard lol i worried that infos from my pc were stollen since i had some passwords written in doc.txt files

computer seems working fine nothing unusual no weird pop ups nothing out of the ordinary

so is it gone? am i safe? or a hard wipe and reinstaling windows is needed ?
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
606
505
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

In order to give you sound advice I need more information.

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer


  • Right-click on the MBAM icon and select Run as administrator to run the tool.[/*]
  • Click Yes to accept any security warnings that may appear.[/*]
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.[/*]
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.[/*]
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.[/*]
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button[/*]
  • Note: The scan may take some time to finish, so please be patient.[/*]
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.[/*]
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.[/*]
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.[/*]
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.
  • Close all open programs and internet browsers.[/*]
  • Double click on AdwCleaner.exe to run the tool.[/*]
  • Click the Scan button and wait for the process to complete.[/*]
  • Click the LogFile button and the report will open in Notepad.[/*]
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.[/*]
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.[/*]
  • Double click on AdwCleaner.exe to run the tool.[/*]
  • Click the Scan button and wait for the process to complete.[/*]
  • Check off the element(s) you wish to keep.[/*]
  • Click on the Clean button follow the prompts.[/*]
  • A log file will automatically open after the scan has finished.[/*]
  • Please post the content of that log file with your next answer.[/*]
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).[/*]
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.
Wait for further instructions

p.s.
The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
====
 

Trojanita

New Member
Jan 29, 2021
3
0
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

Hey nasdaq thank you for your help
i run a malwarebyte scan with the rootkit and archives checked, it didn't detect any threat so there was no history log from the scan

adw didn't detect anything too this is the log result from adwcleaner :

# -------------------------------
# Malwarebytes AdwCleaner 8.0.9.1
# -------------------------------
# Build: 01-20-2021
# Database: 2021-01-11.1 (Local)
# Support: Customer Support & Help Center | Malwarebytes
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 01-29-2021
# Duration: 00:00:22
# OS: Windows 10 Pro
# Scanned: 31956
# Detected: 0


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

No Preinstalled Software found.



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

__________________________________________________________________

are the log from frst and adition safe to share here or do they contain sensitive information?
 

Trojanita

New Member
Jan 29, 2021
3
0
this was from the addition can you tell me what is this please, altough it was last on 28/01/2020

==================== Faulty Device Manager Devices ============


==================== Event log errors: ========================

Application errors:
==================
Error: (01/29/2021 02:18:52 AM) (Source: VSS) (EventID: 8193) (User: )
Description: Volume Shadow Copy Service error: Unexpected error calling routine QueryFullProcessImageNameW. hr = 0x80070006, The handle is invalid.
.


Operation:
Executing Asynchronous Operation

Context:
Current State: DoSnapshotSet

Error: (01/28/2021 10:11:26 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WinRAR.exe version 5.60.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 1fd8

Start Time: 01d6f5ba04e9f197

Termination Time: 31

Application Path: C:\Program Files\WinRAR\WinRAR.exe

Report Id: aad00c8a-834b-441c-9221-ead4d235abae

Faulting package full name:

Faulting package-relative application ID:

Hang type: Cross-thread

Error: (01/28/2021 10:10:20 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WinRAR.exe version 5.60.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 13f0

Start Time: 01d6f5b0bea53c99

Termination Time: 26

Application Path: C:\Program Files\WinRAR\WinRAR.exe

Report Id: 33d84c84-e2c9-4e83-82da-35fee8526b8d

Faulting package full name:

Faulting package-relative application ID:

Hang type: Cross-thread

Error: (01/28/2021 09:04:09 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program WinRAR.exe version 5.60.0.0 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 16a8

Start Time: 01d6f5b026104126

Termination Time: 46

Application Path: C:\Program Files\WinRAR\WinRAR.exe

Report Id: 661517b0-b045-45fd-aeae-5f97c3c20637

Faulting package full name:

Faulting package-relative application ID:

Hang type: Cross-thread

Error: (01/28/2021 05:36:49 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: HxOutlook.exe, version: 16.0.13426.20356, time stamp: 0x5fd2966a
Faulting module name: Mso20Imm.dll, version: 16.0.13426.20352, time stamp: 0x5fd1d2a6
Exception code: 0x0071d20d
Fault offset: 0x00000000001bdf6d
Faulting process id: 0x20c4
Faulting application start time: 0x01d6f593c555e20a
Faulting application path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20368.0_x64__8wekyb3d8bbwe\HxOutlook.exe
Faulting module path: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.13426.20368.0_x64__8wekyb3d8bbwe\Mso20Imm.dll
Report Id: dd7ae79a-0735-47b2-bae4-ef4cf5f9a26e
Faulting package full name: microsoft.windowscommunicationsapps_16005.13426.20368.0_x64__8wekyb3d8bbwe
Faulting package-relative application ID: microsoft.windowslive.mail

Error: (01/28/2021 05:36:48 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: DESKTOP-LTID0O6)
Description: microsoft.windowscommunicationsapps_8wekyb3d8bbwe-2147024893

Error: (01/28/2021 05:36:48 PM) (Source: Microsoft-Windows-AppModel-State) (EventID: 10) (User: DESKTOP-LTID0O6)
Description: microsoft.windowscommunicationsapps_8wekyb3d8bbwe-2147024893

Error: (01/28/2021 04:48:11 AM) (Source: ESENT) (EventID: 902) (User: )
Description: svchost (4284,D,122) Unistore: The database engine detected multiple threads illegally using the same database session to perform database operations.

SessionId: 0x000001B5B005B3A0

Session-context: 0x0000000000000000

Session-context ThreadId: 0x0000000000000000

Current ThreadId: 0x0000000000000DEC

Session-trace:


System errors:
=============
Error: (01/29/2021 07:03:23 AM) (Source: DCOM) (EventID: 10010) (User: DESKTOP-LTID0O6)
Description: The server {5F7F3F7B-1177-4D4B-B1DB-BC6F671B8F25} did not register with DCOM within the required timeout.

Error: (01/28/2021 11:47:46 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-LTID0O6)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{E48EDA45-43C6-48E0-9323-A7B2067D9CD5}

Error: (01/28/2021 11:47:45 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-LTID0O6)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}

Error: (01/28/2021 11:44:56 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service WSearch with arguments "Unavailable" in order to run the server:
{9E175B68-F52A-11D8-B9A5-505054503030}

Error: (01/28/2021 11:43:18 PM) (Source: DCOM) (EventID: 10005) (User: NT AUTHORITY)
Description: DCOM got error "1084" attempting to start the service BITS with arguments "Unavailable" in order to run the server:
{4991D34B-80A1-4291-83B6-3328366B9097}

Error: (01/28/2021 11:43:13 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-LTID0O6)
Description: DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "Unavailable" in order to run the server:
{DD522ACC-F821-461A-A407-50B198B896DC}

Error: (01/28/2021 11:43:09 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-LTID0O6)
Description: DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal

Error: (01/28/2021 11:43:08 PM) (Source: DCOM) (EventID: 10005) (User: DESKTOP-LTID0O6)
Description: DCOM got error "1084" attempting to start the service TokenBroker with arguments "Unavailable" in order to run the server:
Windows.Internal.Security.Authentication.Web.TokenBrokerInternal
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
606
505
Hi,

Sorry for this delay.

Many error are reported in the Addition.txt log.
The operating system will normally work around them as they are not important.

I need to see the FRST.TXT and Addition.txt logs to give you sound advice.
 
Status
Not open for further replies.
Top