3 Replies Latest reply on Jul 5, 2017 6:49 AM by exbrit

    JTI/SUSPECT!131076 REMOVAL (Assistance Needed)

    agenthoopla

      Hey All,

       

      Just wanted to say thank you for reading my post. I am a little worried about an infection that I received recently on a brand new laptop that I bought literally a week ago.

       

      I was browsing the internet (looking at news articles, etc) and all of a sudden the Anti-Virus program that I use "Mcafee Total Protection" had a small popup appear on the bottom right of my screen telling me something was quarantined. I thought this was weird, and suspicious. So I decided to take an additional look.

       

      I have attached two pictures of my screen on what Mcafee told me the file was suspected to be and the file path.

       

      http://imgur.com/hSrnFlZ

      http://imgur.com/URSiAuD

       

      I searched JTI/SUSPECT!131076 in google and got some disturbing results, it seems like a really bad worm. I have no idea on what programs that it was tied to, or how I could have gotten it.

       

      So I went ahead and went into the file path on my computer and tried to find the file, and I did. I uploaded APPLEID-NOTIFICATION[766].pdf into VirusTotal and nothing came up as suspicious.

       

      The 762 folder was created on 7/3/2017 at 8:37pm,the EXACT time Mcafee flagged it and quarantined the single file, so that tells me that once it was created, it was flagged and caught.

       

      There were also a few more files (about 5 or 6) other files (in the 762 folder) named things such as Business Proposal!.Docx, MysteryShopper.PNG and other weird file names. I uploaded Business Proposal!.DocX into VirusTotal and only one program said it was some sort of Phishing Warning out of the 62 or so.

       

      So, While the file was in Quarantine I updated Windows Defender, Mcafee and downloaded Malwarebytes and ran 5 Full System Scans.

       

      First Scan: Mcafee Full System Scan - NO THREATS FOUND

       

      Second Scan: Windows Defender Scan - NO THREATS FOUND

       

      Third Scan: Windows Defender Offline Mode - NO THREATS FOUND

       

      Fourth Scan: Malware Bytes - NO THREATS FOUND

       

      Fifth Scan : Mcafee Full System Scan - NO THREATS FOUND

       

      Sixth Scan: Windows Defender Full System Scan - NO THREATS FOUND

       

      I than deleted the file APPLEID-NOTIFICATION[766].PDF via the Mcafee software from quarantine and went back to the file location of said worm to verify it was gone. The file was still there, but had a file size of 0KB. I than highlighted EVERYTHING (including the 5 or 6 weird file names) and used Mcafee's "File Shred" option to permanently delete them from my computer.

       

      I wanted to write this post to get some input on the following questions

       

      1) Is the virus still in my computer?

       

      2) Did I do the correct order of operations for virus removal?

       

      3) Should I worry about another possible infection that might reoccur?

       

      4) Is my system compromised?

       

      5) What do I do now?

        • 1. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
          Peacekeeper

          OK I am not a virus expert but I would have thought deleting from quarantine list would have removed the file. Seems to have left shell of it. I would also suggest clearing all browser and internet temp files and do a scan with malwarebytes as well as getsusp and adwcleaner from here. Scans would not detect anything I think if already in quarantine. See if a more knowledgeable user can comment

          Anti-Spyware/Malware & Hijacker Tools

          • 2. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
            agenthoopla

            Thanks for the reply Peacekeeper.

             

            I scanned my computer with MalwareBytes already. It came back clean.

             

            I also scanned my computer with Adwcleaner and the log is below.

             

            # AdwCleaner v6.047 - Logfile created 04/07/2017 at 16:33:48

            # Updated on 19/05/2017 by Malwarebytes

            # Database : 2017-07-04.2 [Server]

            # Operating System : Windows 10 Home  (X64)

            # Username : J-fow - SPECTRE

            # Running from : C:\Users\J-fow\Downloads\AdwCleaner.exe

            # Mode: Clean

            # Support : https://www.malwarebytes.com/support

             

             

             

            ***** [ Services ] *****

             

             

             

            ***** [ Folders ] *****

             

             

             

            ***** [ Files ] *****

             

             

             

            ***** [ DLL ] *****

             

             

             

            ***** [ WMI ] *****

             

             

             

            ***** [ Shortcuts ] *****

             

             

             

            ***** [ Scheduled Tasks ] *****

             

             

             

            ***** [ Registry ] *****

             

             

             

            ***** [ Web browsers ] *****

             

            [-] [C:\Users\J-fow\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com

            [-] [C:\Users\J-fow\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com

             

             

            *************************

             

            :: "Tracing" keys deleted

            :: Winsock settings cleared

             

            *************************

             

            C:\AdwCleaner\AdwCleaner[C0].txt - [969 Bytes] - [04/07/2017 16:33:48]

            C:\AdwCleaner\AdwCleaner[S0].txt - [1522 Bytes] - [04/07/2017 16:32:31]

             

            ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1114 Bytes] ##########

             

            Also used JRT (Junkware Removal Tool) and the log file is below.

             

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

            Junkware Removal Tool (JRT) by Malwarebytes

            Version: 8.1.3 (04.10.2017)

            Operating System: Windows 10 Home x64

            Ran by J-fow (Administrator) on Tue 07/04/2017 at 16:37:12.20

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

             

             

             

             

            File System: 0

             

             

             

             

            Registry: 0

             

             

             

             

             

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

            Scan was completed on Tue 07/04/2017 at 16:39:18.15

            End of JRT log

            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

             

            As mentioned, the file in question when deleted from Quarantine had a file size of 0 KB. I than used Mcafee's "Shredder" option to permnanently delete ALL of the suspicious filed in the 762 folder.

            • 3. Re: JTI/SUSPECT!131076 REMOVAL (Assistance Needed)
              exbrit

              Scroll to the bottom of the link Peacekeeper posted and you'll see mention of Farbar.  Follow that process and post as instructed on that specialist forum with a full explanation as they request.