3 Replies Latest reply on Jul 5, 2017 6:49 AM by Peter M

    JTI/SUSPECT!131076 REMOVAL (Assistance Needed)


      Hey All,


      Just wanted to say thank you for reading my post. I am a little worried about an infection that I received recently on a brand new laptop that I bought literally a week ago.


      I was browsing the internet (looking at news articles, etc) and all of a sudden the Anti-Virus program that I use "Mcafee Total Protection" had a small popup appear on the bottom right of my screen telling me something was quarantined. I thought this was weird, and suspicious. So I decided to take an additional look.


      I have attached two pictures of my screen on what Mcafee told me the file was suspected to be and the file path.





      I searched JTI/SUSPECT!131076 in google and got some disturbing results, it seems like a really bad worm. I have no idea on what programs that it was tied to, or how I could have gotten it.


      So I went ahead and went into the file path on my computer and tried to find the file, and I did. I uploaded APPLEID-NOTIFICATION[766].pdf into VirusTotal and nothing came up as suspicious.


      The 762 folder was created on 7/3/2017 at 8:37pm,the EXACT time Mcafee flagged it and quarantined the single file, so that tells me that once it was created, it was flagged and caught.


      There were also a few more files (about 5 or 6) other files (in the 762 folder) named things such as Business Proposal!.Docx, MysteryShopper.PNG and other weird file names. I uploaded Business Proposal!.DocX into VirusTotal and only one program said it was some sort of Phishing Warning out of the 62 or so.


      So, While the file was in Quarantine I updated Windows Defender, Mcafee and downloaded Malwarebytes and ran 5 Full System Scans.


      First Scan: Mcafee Full System Scan - NO THREATS FOUND


      Second Scan: Windows Defender Scan - NO THREATS FOUND


      Third Scan: Windows Defender Offline Mode - NO THREATS FOUND


      Fourth Scan: Malware Bytes - NO THREATS FOUND


      Fifth Scan : Mcafee Full System Scan - NO THREATS FOUND


      Sixth Scan: Windows Defender Full System Scan - NO THREATS FOUND


      I than deleted the file APPLEID-NOTIFICATION[766].PDF via the Mcafee software from quarantine and went back to the file location of said worm to verify it was gone. The file was still there, but had a file size of 0KB. I than highlighted EVERYTHING (including the 5 or 6 weird file names) and used Mcafee's "File Shred" option to permanently delete them from my computer.


      I wanted to write this post to get some input on the following questions


      1) Is the virus still in my computer?


      2) Did I do the correct order of operations for virus removal?


      3) Should I worry about another possible infection that might reoccur?


      4) Is my system compromised?


      5) What do I do now?

        • 1. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)

          OK I am not a virus expert but I would have thought deleting from quarantine list would have removed the file. Seems to have left shell of it. I would also suggest clearing all browser and internet temp files and do a scan with malwarebytes as well as getsusp and adwcleaner from here. Scans would not detect anything I think if already in quarantine. See if a more knowledgeable user can comment

          Anti-Spyware/Malware & Hijacker Tools

          • 2. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)

            Thanks for the reply Peacekeeper.


            I scanned my computer with MalwareBytes already. It came back clean.


            I also scanned my computer with Adwcleaner and the log is below.


            # AdwCleaner v6.047 - Logfile created 04/07/2017 at 16:33:48

            # Updated on 19/05/2017 by Malwarebytes

            # Database : 2017-07-04.2 [Server]

            # Operating System : Windows 10 Home  (X64)

            # Username : J-fow - SPECTRE

            # Running from : C:\Users\J-fow\Downloads\AdwCleaner.exe

            # Mode: Clean

            # Support : https://www.malwarebytes.com/support




            ***** [ Services ] *****




            ***** [ Folders ] *****




            ***** [ Files ] *****




            ***** [ DLL ] *****




            ***** [ WMI ] *****




            ***** [ Shortcuts ] *****




            ***** [ Scheduled Tasks ] *****




            ***** [ Registry ] *****




            ***** [ Web browsers ] *****


            [-] [C:\Users\J-fow\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com

            [-] [C:\Users\J-fow\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com





            :: "Tracing" keys deleted

            :: Winsock settings cleared




            C:\AdwCleaner\AdwCleaner[C0].txt - [969 Bytes] - [04/07/2017 16:33:48]

            C:\AdwCleaner\AdwCleaner[S0].txt - [1522 Bytes] - [04/07/2017 16:32:31]


            ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1114 Bytes] ##########


            Also used JRT (Junkware Removal Tool) and the log file is below.



            Junkware Removal Tool (JRT) by Malwarebytes

            Version: 8.1.3 (04.10.2017)

            Operating System: Windows 10 Home x64

            Ran by J-fow (Administrator) on Tue 07/04/2017 at 16:37:12.20






            File System: 0





            Registry: 0







            Scan was completed on Tue 07/04/2017 at 16:39:18.15

            End of JRT log



            As mentioned, the file in question when deleted from Quarantine had a file size of 0 KB. I than used Mcafee's "Shredder" option to permnanently delete ALL of the suspicious filed in the 762 folder.

            • 3. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
              Peter M

              Scroll to the bottom of the link Peacekeeper posted and you'll see mention of Farbar.  Follow that process and post as instructed on that specialist forum with a full explanation as they request.