paulqaz

CLOSED High risk Trojan.Scam.MN (B) can't delete from quarantine

Recommended Posts

Update: After running EEK and FRST, the 2 quarantined copies of Trojan.Scam.MN (B)were gone. Only FRST remained in quarantine list and I deleted it. I searched PC for Trojan.Scam and got no results. If this is normal, you can close this case and I'll delete any remnants of EEK and FRST. Thanks. 

 

During regular scan EMSI Anti-Malware found 2 copies of Trojan.Scam.MN (B) and quarantined them see Original Scan-Forensics_180822-181418.txt. I requested deletion, but got message saying virus was deeply imbedded, and to come here for instructions how to delete.

I ran EEK and scan seems clean (see attached log). 

I tried to run FRST, but it got quarantined (by EMSIsoft) while running. Message said it was it was trying to change Firewall settings. I didn't expect both to run per your instructions. 

I tried to follow all instructions exactly. 

 

Forensics_180822-173717.txt

scan_180822-173117.txt

Share this post


Link to post
Share on other sites

Download and run FRST again.  If Emsisoft tries to quarantine it, cancel the action and allow FRST to run.

Share this post


Link to post
Share on other sites

I ran FRST. Here are scan files. 

Misc Info: I don't share, even on Home network. I try not to add junk apps. There are some manuals for my phone. My old printer was HP and is now Epson. ThinkOrSwim is Ameritrade application. I use IE, Edge and Chrome, to prevent some cross-pollination. If EMSI asks me, I say BLOCK (Rules). I regularly get fake Microsoft virus reports halting browser with Call-Us Phone number, requiring Task manager to stop. My Mouse has been lagging for few months-I tried another mouse with same performance.  

FRST.txt

Addition.txt

Edited by paulqaz
Added Misc Info list to aid evaluation.

Share this post


Link to post
Share on other sites

I am not seeing any malware in your log.  I am seeing stuff that is broken and will fix that with the below fix.

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    CustomCLSID: HKU\S-1-5-21-3187339599-2525356095-2133817256-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Paul\AppData\Local\Microsoft\OneDrive\17.3.7076.1026_1\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3187339599-2525356095-2133817256-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Paul\AppData\Local\Microsoft\OneDrive\17.3.7076.1026_1\amd64\FileSyncShell64.dll => No File
    CustomCLSID: HKU\S-1-5-21-3187339599-2525356095-2133817256-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Paul\AppData\Local\Microsoft\OneDrive\17.3.7076.1026_1\amd64\FileSyncShell64.dll => No File
    ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
    ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
    ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
    ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
    ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
    ShellIconOverlayIdentifiers: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
    ShellIconOverlayIdentifiers: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive6] -> {9AA2F32D-362A-42D9-9328-24A483E2CCC3} =>  -> No File
    ShellIconOverlayIdentifiers-x32: [ OneDrive7] -> {C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} =>  -> No File
    Task: {14BA854D-0BFA-4703-996B-514FACD3A7DD} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
    Task: {2DA634EA-514C-4412-B36C-44F7CC60CF49} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
    Task: {34F29320-35C6-41E4-8674-C1D737DB6595} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
    Task: {35CBF258-9D04-4C75-84C0-23DB03D1C092} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
    Task: {47AF4612-CB82-4B0F-B929-B74C5A403E06} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
    Task: {50BC907B-6AF6-481A-9CB8-3996CE76D73B} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
    Task: {547901D9-3670-47F6-BDAA-8F011C2CEE72} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
    Task: {8D8CADD8-6DC6-4B06-8EBD-11C9E3BBCBAD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
    Task: {905BFF27-1C27-4608-B3B7-E38025B2D640} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
    Task: {A357E649-4B42-44AA-B90C-0B7392C4D5DB} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
    Task: {B9E344BA-320D-4C92-8E19-52F46B07AAB5} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
    Task: {D90D29FF-0211-48AD-B49A-307933F2F214} - \WPD\SqmUpload_S-1-5-21-3187339599-2525356095-2133817256-1001 -> No File <==== ATTENTION
    Task: {F8144AAC-1BB2-4B98-98F6-A3959334DBDA} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
End::

Share this post


Link to post
Share on other sites

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.