Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Haphazard behaviour, sporadic, maybe malware, maybe not? [Solved]

Started by valleyboy , Feb 13 2023 02:12 PM

This topic is locked

#16
DR M

Posted 18 February 2023 - 07:17 AM

The Grecian Geek

Malware Removal
4,096 posts

I just recalled I didn't respond to this:

After manual reset via power switch, now back up. Aslo, this website constantly stating that there has been too many redirects and failing to load this page, making it difficult to respond.

This is true, if you are using Edge to sign in. The issue is due to a default security setting in Edge, regarding the http URLs. The same happens in Chrome. I see you don't have Firefox installed. Are you getting the same error when using Opera?

#17
valleyboy

Posted 18 February 2023 - 08:19 AM

Member

Topic Starter
Member
245 posts

Ok - Scan log is below. AdwCleaner log is attached.

Ref. the browsers, I am trying to use either Edge, Chrome or Opera. All are producing the same redirect issue.

SCAN LOG

Malwarebytes

www.malwarebytes.com

-Log Details-

Scan Date: 18/02/2023

Scan Time: 13:27

Log File: ff077816-af8f-11ed-936c-18c04da8b499.json

-Software Information-

Version: 4.5.22.236

Components Version: 1.0.1915

Update Package Version: 1.0.65833

Licence: Trial

-System Information-

OS: Windows 11 (Build 22621.963)

CPU: x64

File System: NTFS

User: DESKTOP-JSB8L0E\maxxy

-Scan Summary-

Scan Type: Threat Scan

Scan Initiated By: Manual

Result: Completed

Objects Scanned: 280704

Threats Detected: 5

Threats Quarantined: 0

Time Elapsed: 7 min, 30 sec

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Detect

PUM: Detect

-Scan Details-

Process: 0

(No malicious items detected)

Module: 0

(No malicious items detected)

Registry Key: 0

(No malicious items detected)

Registry Value: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Data Stream: 0

(No malicious items detected)

Folder: 0

(No malicious items detected)

File: 5

Malware.AI.2563702741, C:\USERS\MAXXY\APPDATA\ROAMING\KRNL\KRNLUI.EXE, No Action By User, 1000000, -1731264555, 1.0.65833, A8A98DB71490F14698CEFFD5, dds, 02173581, 39ED86952A1E7926924A18802C0B75E4, B84CEB86E9A8EBA4D168F2CC6C9010C93779641E595F900AAFE8CFEF6165C126

Malware.AI.4290638100, C:\USERS\MAXXY\APPDATA\ROAMING\KRNL\KRNL.DLL, No Action By User, 1000000, -4329196, 1.0.65833, 53C1C875A695C8F7FFBDF114, dds, 02173581, DD2CEAD4E9DDED0E029457061C4DCFD5, BB8125901CA3CAF7DD5F726085F21D08B2E3736F4109E0530DA118E3DC54CB1B

Trojan.Agent, C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS\TELEMETRY\SIHOST64.EXE, No Action By User, 472, 988375, 1.0.65833, A61F6631BDA1F0A476F0E28D, dds, 02173581, 85BB1E5D26DB9E800D6F66803876F4B6, 9E154B4D2A6BBCBF0F97A5141A769B9B306D6FC46A3DC52074A41E97F5897A51

Malware.AI.4165278293, C:\USERS\MAXXY\APPDATA\LOCAL\PROGRAMS\JJSPLOIT\INDICIUM SUPRA.DLL, No Action By User, 1000000, -129689003, 1.0.65833, AD234CD8EBC05C4EF8451A55, dds, 02173581, 42CD8AC756011A21FBAE0FE95DE11D0E, DFF16A67DE18B2D9F8437796FAE6BC6CEFF9E7C953249089ACED406924A55190

RiskWare.GameHack, C:\USERS\MAXXY\DOWNLOADS\KRNL_BETA.EXE, No Action By User, 5553, 1067775, 1.0.65833, , ame, , 3701DC535FB395D6A1FB557A3AEEC5E9, EC6DF713446A8DD5EFB376FBB7B444ED7E09F5CDD98C0494999B64AF2E2D5537

Physical Sector: 0

(No malicious items detected)

WMI: 0

(No malicious items detected)

(end)

Attached Files

AdwCleanerS00.txt 1.66KB 62 downloads

#18
DR M

Posted 18 February 2023 - 09:20 AM

The Grecian Geek

Malware Removal
4,096 posts

Ref. the browsers, I am trying to use either Edge, Chrome or Opera. All are producing the same redirect issue

To avoid this issue while we are working, you can change the setting about automatic https, as instructed here. Do that for one browser, and when we finish, you can change it back.

========================================

Malwarebytes detected some items related with programs you have installed.

See:

Malware.AI.4165278293, C:\USERS\MAXXY\APPDATA\LOCAL\PROGRAMS\JJSPLOIT\INDICIUM SUPRA.DLL
RiskWare.GameHack, C:\USERS\MAXXY\DOWNLOADS\KRNL_BETA.EXE

In the next steps, I'll ask you to remove everything except the one related with JJSPLOIT. I'll ask the Malwarebytes colleagues if this is a false-positive detection.

So...

1. AdwCleaner (Clean mode)

Let me explain to you the log created by AdwCleaner:

The findings in Files, Folders, Registry and Chromium parts of the log, are adware and PUPs which stands for Potentially Unwanted Programs. In the instructions below, I will list them all to be removed.

The section at the bottom under Preinstalled Software is software that was apparently installed when the device was new, which you may or may not use. Personally, I do not keep anything I don't use/need. But it's your computer, so your decision.

WildTangentGames is also came preinstalled in your computer. Since you or your granddaughter may be using it, you can keep it. The decision here is yours.

To proceed, please do the following:

Double click AdwCleaner.exe on your Desktop, to run it as you did before.
Click Scan Now.
When the scan has finished a Scan Results window will open.
Please check all the boxes and then click Quarantine.
Click Next.
- If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
- Check any pre-installed software items you want to remove.
- Click Quarantine.
A prompt to save your work will appear.
- Click Continue when you're ready to proceed.
A prompt to restart your computer will appear.
- Click Restart Now.
Once your computer has restarted:
- If it doesn't open automatically, please start AdwCleaner.
- Click the Log Files tab.
- Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
- A Notepad file will open containing the results of the removal.
- Please post the contents of the file in your next reply.

2. Run Malwarebytes (Clean mode)

Double click the program's icon on your Desktop, as you did before.

Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:

Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) the option is unchecked.
Under the title Potentially unwanted items all options are set to Always.

Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
When finished, you will see the Thread Scan Summary window open.
If threats are not found, click View Report and proceed to the two last steps below.

If threats are found, make sure that all threats are selected except the one in the code, and click on Quarantine/Remove selected.

Malware.AI.4165278293, C:\USERS\MAXXY\APPDATA\LOCAL\PROGRAMS\JJSPLOIT\INDICIUM SUPRA.DLL, No Action By User, 1000000, -129689003, 1.0.65833, AD234CD8EBC05C4EF8451A55, dds, 02173581, 42CD8AC756011A21FBAE0FE95DE11D0E, DFF16A67DE18B2D9F8437796FAE6BC6CEFF9E7C953249089ACED406924A55190

You may need to restart the computer.
Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
Find the report with the most recent date and double click on it.
Click on Export and then Copy to Clipboard.
Paste its content here, in your next reply.

In your next reply, please post

The AdwCleaner[C0*].txt
The Malwarebytes report

#19
valleyboy

Posted 18 February 2023 - 10:07 AM

Member

Topic Starter
Member
245 posts

Hello....

As requested. Files attached for reference.

Much appreciated.

Attached Files

MBLog.txt 2.4KB 63 downloads
AdwCleanerC01.txt 1.81KB 63 downloads

#20
valleyboy

Posted 18 February 2023 - 10:08 AM

Member

Topic Starter
Member
245 posts

I have to leave home now. May get back to any replies later but more likely to be tomorrow. Have a great evening.

#21
DR M

Posted 18 February 2023 - 10:30 AM

The Grecian Geek

Malware Removal
4,096 posts

OK, have a nice day too.

#22
DR M

Posted 18 February 2023 - 11:27 AM

The Grecian Geek

Malware Removal
4,096 posts

We removed before this file:

C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS\TELEMETRY\SIHOST64.EXE

Let's see what the whole folder contains in there. It seems suspicious.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
zip: C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS
End::

Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a zip file on your Desktop.
Please attach it here for me to check, please.

#23
valleyboy

Posted 18 February 2023 - 02:30 PM

Member

Topic Starter
Member
245 posts

All seems much much better now. Thank you very much for your help.

I've attached the latest log.

Still have the issue with the browser redirects though. :headscratch:

Attached Files

Fixlog.txt 584bytes 66 downloads
18.02.2023_20.27.42.zip 8.22KB 70 downloads

Edited by valleyboy, 18 February 2023 - 02:34 PM.

#24
DR M

Posted 18 February 2023 - 02:50 PM

The Grecian Geek

Malware Removal
4,096 posts

Still have the issue with the browser redirects though.

You mean when you are trying to get into the Forum right? Have you tried my suggestion above?

I'll see you tomorrow and we will continue then.

#25
DR M

Posted 19 February 2023 - 01:48 AM

The Grecian Geek

Malware Removal
4,096 posts

Hi, VB.

Please run FRST once more and attach fresh logs, Addition and FRST.

#26
valleyboy

Posted 19 February 2023 - 04:48 AM

Member

Topic Starter
Member
245 posts

Good morning

Files attached.

Regards the browser redirects. I clicked the link you provided in a previous post to resolve the issue but that link just took me to the top of the page. It didn't seem to actually link to any instructions.

Regards

Attached Files

Addition.txt 40.99KB 69 downloads
FRST.txt 38.26KB 64 downloads

#27
DR M

Posted 19 February 2023 - 05:35 AM

The Grecian Geek

Malware Removal
4,096 posts

Oups! You are right! I corrected the link now! Check again. To clarify, it's not something I recommend to change for ever. Just now you visit the site regularly. Then, you can change the setting back to what it was.

I'll review the new logs and be back to you as soon as I can.

#28
DR M

Posted 19 February 2023 - 09:30 AM

The Grecian Geek

Malware Removal
4,096 posts

Hi, VB!

I'm back.

Let's remove that folder (C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS). Seems that it contains only malicious files.

FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
C:\USERS\MAXXY\APPDATA\ROAMING\WINDOWS
EmptyTemp:
End::

Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
Press the Fix button once and wait.
FRST will process fixlist.txt
When finished, it will produce a log fixlog.txt on your Desktop.
Post the log in your next reply.

In your next reply please post:

The fixlog.txt
Feedback: how is the computer running now?

#29
valleyboy

Posted 19 February 2023 - 10:03 AM

Member

Topic Starter
Member
245 posts

Hello there!.....

Fixlog attached. The PC seems to be just fine now thank you. Startup is reliable and fast and no other issues as far as I can see. :spoton:

Very grateful.

Attached Files

Fixlog.txt 1.26KB 61 downloads

#30
DR M

Posted 19 February 2023 - 10:31 AM

The Grecian Geek

Malware Removal
4,096 posts

Excellent!!! :yeah:

Just a note about KRNL items we removed. They are part of Roblox, but they have a nature that makes many antivirus to detect them as malware, since they are getting injected into a game and run scripts. Tell your son, if he plans to use them again, to download them from the official trusted site and be very careful with the scripts he takes from others. I don't know much about these things, but I would be very very careful.

Now...

If no other questions/issues/concerns...

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.