Your Fle is Ready Malware

Status
Not open for further replies.

UncleJim

New Member
Thread author
Mar 4, 2022
5
Have the malware "Your file is ready to downlload" I have the icon on my Windows 11 desktop and can't remove it. When I try I get the message - The action can't be completed because the file is open in System. I have ran MalwareBytes and it didn't fine anything. I have ran others and nothing would fine it Ran Farbar and included results.

Please help.
Uncle Jim
 

Attachments

  • Addition.txt
    13.8 KB · Views: 22
  • FRST.txt
    38.7 KB · Views: 22

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
741
Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.

Code:
start

Comment: For your security a new restore point will be created.
CreateRestorePoint:
Comment: We need to close all processes to complete the fix.
CloseProcesses:

Comment: Items from the FRST.TXT log that will be removed from the Registry.
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] ->
HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => C:\WINDOWS\System32\MbaeParserTask.exe (No File)
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
Edge HomePage: Default -> hxxps://www.google.com/#spf=1578676489262
S1 amsdk; \??\C:\WINDOWS\system32\drivers\amsdk.sys [X]
S1 WinSetupMon; system32\DRIVERS\WinSetupMon.sys [X]

Comment: The system will restart.
Reboot:

End

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please send the compromised file to Virus Total for a security Scan.


Follow the instructions on the page.

If found to be bad boot the computer in Safe Mode and delete the file.

Restart the computer normally.

Please post the Fixlog.txt.


If the problem persists post the filename as well as the exact location where the file is saved.

I will also need to see the complete Addition.txt log.
The one you attached was truncated. It's missing the bottom part.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
741
HI,

If the Icon is still present post the filename as well as the exact location where the file is saved.

Attach the Addition.txt log that was created by the Farbar program.
 

UncleJim

New Member
Thread author
Mar 4, 2022
5
I also notice this morning the malware was gone. Not sure what you did, but I appreciate it. Thanks so much.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
741
Hi,

The “Your File Is Ready To Download” page is a browser-based scam that displays fake error messages to trick you into installing malicious browser extensions.

I suggest you rename the file with a .bad extension.
Send it to your Recycle bin.

If all is well in a day or two flush it.
 
Status
Not open for further replies.