Kaspersky detected virus. Am I safe now?

Junglist · Feb 17, 2023

Hello,

I am a novice so please bear with me. I was browsing on Firefox when Kaspersky popped up a message telling me there was a problem. I then notice in the taskbar notification area that the Windows security and Kaspersky icons had both turned red indicating that protection was no longer active. Then a Windows message appears advising that there is a problem with something trying to install that is not compatible with Windows, or has an error. At this point I disconnect my ethernet cable. The info I jotted down from that message is the following:

windows\system\profapi.dll
Error status 0xc0000022

Kaspersky then starts to scan and instructs me to restart in order to delete a file, which I do.

I have attached FRST files and the Kaspersky report. I just want to know if I'm safe now and if I should do anything further to insure I am disinfected.

Thanks, mark.

Junglist · Feb 17, 2023

nasdaq · Feb 18, 2023

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

The I.P. (Internet Provider) 198.51.100.1,198.51.100.2 are normally used and added by the owner for a special purpose.
If you did not create or added thie I.P. address please copy line below in red in the fixlist.txt before saving it as suggested.
Tcpip\..\Interfaces\{168f0f39-18b5-4ca5-ae7d-8ffb33d34d2d}: [NameServer] 198.51.100.1,198.51.100.2
If you are not sure leave it along for now.
<<<>>>

Remove this program in bold using the Control Panel > Programs > Programs and Features...
BitMeter OS (HKLM-x32\...\BitMeterOS) (Version: - )
<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

Junglist · Feb 19, 2023

Hi,

I don’t remember changing the IP address. Is this something my ISP would have given me (TalkTalk UK)? Where about in the fixlist.txt should I past the red text you provided?

Thank you,
Mark.

nasdaq · Feb 20, 2023

Hi,

The I.P. address looks good.
Leave it alone for now.

Read this article.

Whois IP 198.51.100.1

Whois IP Lookup for 198.51.100.1

www.whois.com

<<<>>>

Just do the fix as suggested. Do not add the line to the list.

Junglist · Feb 20, 2023

Ok, thanks.

Here's the Fixlog.txt.

nasdaq · Feb 21, 2023

Hi,

Download and run these program.
Before you execute them close all the opened browsers that are active.

Delete everything that will be found by each program.

Nos run the programs.

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer

Right-click on the MBAM icon and select Run as administrator to run the tool.
Click Yes to accept any security warnings that may appear.
Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
On the left menu pane click the Settings tab, and then select the Protection tab on the top.
Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
Note: The scan may take some time to finish, so please be patient.
If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
The log can also be viewed by clicking the log to select it, then clicking the View Report button.

Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click the Scan button and wait for the process to complete.
Click the LogFile button and the report will open in Notepad.

IMPORTANT

If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click the Scan button and wait for the process to complete.
Check off the element(s) you wish to keep.
Click on the Clean button follow the prompts.
A log file will automatically open after the scan has finished.
Please post the content of that log file with your next answer.
You can find the log file at C:\AdwCleanerCx.txt (x is a number).

Attach both logs.
Before you do please run a Scan with the Farbar r program and attach these logs also.

Junglist · Feb 21, 2023

Here are the files.

nasdaq · Feb 22, 2023

Hi,

Many processes were not closed and/or accessible.
This is possibly because you have used this profile which is not an Administrator.

Ran by Mark (ATTENTION: The user is not administrator)

You must used the Admin Mark to execute the 4 programs I suggested.

It looks like you used this one.
Mark (S-1-5-21-750743147-1633285388-1068135641-1001 - Limited - Enabled) => C:\Users\Mark

Available profiles.
Admin Mark (S-1-5-21-750743147-1633285388-1068135641-1002 - Administrator - Enabled) => C:\Users\Admin Mark
Administrator (S-1-5-21-750743147-1633285388-1068135641-500 - Administrator - Disabled)
DefaultAccount (S-1-5-21-750743147-1633285388-1068135641-503 - Limited - Disabled)
Guest (S-1-5-21-750743147-1633285388-1068135641-501 - Limited - Disabled)
Mark (S-1-5-21-750743147-1633285388-1068135641-1001 - Limited - Enabled) => C:\Users\Mark

Please reboot and start over.

Junglist · Feb 22, 2023

Ok, sorry about that.

nasdaq · Feb 23, 2023

Hi,

Remove this program in bold using the Control Panel > Programs > Programs and Features...
Bonjour (HKLM\...\{56DDDFB8-7F79-4480-89D5-25E1F52AB28F}) (Version: 3.1.0.1 - Apple Inc.)
<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

Junglist · Feb 23, 2023

Thanks again.

nasdaq · Feb 24, 2023

Hi,

How is the computer running now?

Junglist · Feb 24, 2023

It's running okay now, thank you for your help. I was just concerned when I got the initial warning that something had been detected and was trying to install.

Mark

nasdaq · Feb 25, 2023

Glad we could help.

Kaspersky detected virus. Am I safe now?

Level 1

Attachments

Level 1

Attachments

Moderator

Attachments

Level 1

Moderator

Level 1

Attachments

Moderator

Level 1

Attachments

Moderator

Level 1

Attachments

Moderator

Attachments

Level 1

Attachments

Moderator

Level 1

Moderator

Similar threads