3 Replies Latest reply on Jul 5, 2017 6:49 AM by Peter M

    JTI/SUSPECT!131076 REMOVAL (Assistance Needed)

    agenthoopla

      Hey All,

       

      Just wanted to say thank you for reading my post. I am a little worried about an infection that I received recently on a brand new laptop that I bought literally a week ago.

       

      I was browsing the internet (looking at news articles, etc) and all of a sudden the Anti-Virus program that I use "Mcafee Total Protection" had a small popup appear on the bottom right of my screen telling me something was quarantined. I thought this was weird, and suspicious. So I decided to take an additional look.

       

      I have attached two pictures of my screen on what Mcafee told me the file was suspected to be and the file path.

       

      http://imgur.com/hSrnFlZ

      http://imgur.com/URSiAuD

       

      I searched JTI/SUSPECT!131076 in google and got some disturbing results, it seems like a really bad worm. I have no idea on what programs that it was tied to, or how I could have gotten it.

       

      So I went ahead and went into the file path on my computer and tried to find the file, and I did. I uploaded APPLEID-NOTIFICATION[766].pdf into VirusTotal and nothing came up as suspicious.

       

      The 762 folder was created on 7/3/2017 at 8:37pm,the EXACT time Mcafee flagged it and quarantined the single file, so that tells me that once it was created, it was flagged and caught.

       

      There were also a few more files (about 5 or 6) other files (in the 762 folder) named things such as Business Proposal!.Docx, MysteryShopper.PNG and other weird file names. I uploaded Business Proposal!.DocX into VirusTotal and only one program said it was some sort of Phishing Warning out of the 62 or so.

       

      So, While the file was in Quarantine I updated Windows Defender, Mcafee and downloaded Malwarebytes and ran 5 Full System Scans.

       

      First Scan: Mcafee Full System Scan - NO THREATS FOUND

       

      Second Scan: Windows Defender Scan - NO THREATS FOUND

       

      Third Scan: Windows Defender Offline Mode - NO THREATS FOUND

       

      Fourth Scan: Malware Bytes - NO THREATS FOUND

       

      Fifth Scan : Mcafee Full System Scan - NO THREATS FOUND

       

      Sixth Scan: Windows Defender Full System Scan - NO THREATS FOUND

       

      I than deleted the file APPLEID-NOTIFICATION[766].PDF via the Mcafee software from quarantine and went back to the file location of said worm to verify it was gone. The file was still there, but had a file size of 0KB. I than highlighted EVERYTHING (including the 5 or 6 weird file names) and used Mcafee's "File Shred" option to permanently delete them from my computer.

       

      I wanted to write this post to get some input on the following questions

       

      1) Is the virus still in my computer?

       

      2) Did I do the correct order of operations for virus removal?

       

      3) Should I worry about another possible infection that might reoccur?

       

      4) Is my system compromised?

       

      5) What do I do now?

        • 1. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
          Peacekeeper

          OK I am not a virus expert but I would have thought deleting from quarantine list would have removed the file. Seems to have left shell of it. I would also suggest clearing all browser and internet temp files and do a scan with malwarebytes as well as getsusp and adwcleaner from here. Scans would not detect anything I think if already in quarantine. See if a more knowledgeable user can comment

          Anti-Spyware/Malware & Hijacker Tools

          • 2. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
            agenthoopla

            Thanks for the reply Peacekeeper.

             

            I scanned my computer with MalwareBytes already. It came back clean.

             

            I also scanned my computer with Adwcleaner and the log is below.

             

            # AdwCleaner v6.047 - Logfile created 04/07/2017 at 16:33:48

            # Updated on 19/05/2017 by Malwarebytes

            # Database : 2017-07-04.2 [Server]

            # Operating System : Windows 10 Home  (X64)

            # Username : J-fow - SPECTRE

            # Running from : C:\Users\J-fow\Downloads\AdwCleaner.exe

            # Mode: Clean

            # Support : https://www.malwarebytes.com/support

             

             

             

            ***** [ Services ] *****

             

             

             

            ***** [ Folders ] *****

             

             

             

            ***** [ Files ] *****

             

             

             

            ***** [ DLL ] *****

             

             

             

            ***** [ WMI ] *****

             

             

             

            ***** [ Shortcuts ] *****

             

             

             

            ***** [ Scheduled Tasks ] *****

             

             

             

            ***** [ Registry ] *****

             

             

             

            ***** [ Web browsers ] *****

             

            [-] [C:\Users\J-fow\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com

            [-] [C:\Users\J-fow\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com

             

             

            *************************

             

            :: "Tracing" keys deleted

            :: Winsock settings cleared

             

            *************************

             

            C:\AdwCleaner\AdwCleaner[C0].txt - [969 Bytes] - [04/07/2017 16:33:48]

            C:\AdwCleaner\AdwCleaner[S0].txt - [1522 Bytes] - [04/07/2017 16:32:31]

             

            ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1114 Bytes] ##########

             

            Also used JRT (Junkware Removal Tool) and the log file is below.

             

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

            Junkware Removal Tool (JRT) by Malwarebytes

            Version: 8.1.3 (04.10.2017)

            Operating System: Windows 10 Home x64

            Ran by J-fow (Administrator) on Tue 07/04/2017 at 16:37:12.20

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

             

             

             

             

            File System: 0

             

             

             

             

            Registry: 0

             

             

             

             

             

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

            Scan was completed on Tue 07/04/2017 at 16:39:18.15

            End of JRT log

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

             

            As mentioned, the file in question when deleted from Quarantine had a file size of 0 KB. I than used Mcafee's "Shredder" option to permnanently delete ALL of the suspicious filed in the 762 folder.

            • 3. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
              Peter M

              Scroll to the bottom of the link Peacekeeper posted and you'll see mention of Farbar.  Follow that process and post as instructed on that specialist forum with a full explanation as they request.