Hi, Thank you in advance for reading this and helping. Today Spybot, Malwarebytes, and Avira all found malware on my computer for the first time. Win32.Downloader.gen was found by Spybot. I "fixed" this from within Spybot. Because of this, I ran Malwarebytes (I have the free version of Malwarebytes, Spybot, and Avira) and found 3 PUPs, which I quarantined. PUP.Optional.BundleInstaller , PUP.Optional.DotSetupIo , and a second PUP.Optional.DotSetupIo . Then I ran Avira, a full scan, and found JS/Agent.buy , which I removed, or so Avira says. Finally, I ran the Microsoft Safety Scanner and found 10 items -- which all seemed to relate to Microsoft Defender and a 'poor configuration', which it fixed. For good measure, I ran the Microsoft Malicious Software Removal Tool, which found nothing at that point -- this was just a quick scan. All others were full scans.

I decided to re-immunize my browser, via Spybot. I'm using Windows 10, because I figured there are still some bugs in Windows 11 -- and I once had issues on this 1 yr old HP 17.3" laptop (running Ryzen 5, AMD) with a Windows 10 Update -- that wound up requiring a complete system reinstall.

What else should I do, if anything? Update to Windows 11 for increased security? Run Spybot and Malwarebytes and Avira scans daily for awhile?

I do financial stuff online that I definitely don't want a hacker to get into. It's all with MFA, though. Lots of alerts.

Thank you!

smhoff

After reading about VLC Media Player today and hacking potential, I uninstalled it and installed GOM's video player instead. I did use it pretty often to watch movies. I deleted it from my phone, too, in favor of YT Music.

PUP <== relates to potentially unwanted programs
https://blog.malwarebytes.com/101/2016/02/how-to-avoid-potentially-unwanted-programs/

It sounds like your pretty much on top of what you need to do to ensure safety while online.

Malwarebytes AdwCleaner

-------------------

Please download AdwCleaner (https://downloads.malwarebytes.com/file/adwcleaner) and save it to your Desktop
Close all open programs and browsers
Right click on the icon and select Run as administrator
Click Scan now
Allow the program to Quarantine what it finds except for Pre-installed applications if you would like to keep those or other entries you would like to keep
When completed click View Scan Log File
Copy and paste the contents in your reply
Click Skip Basic Repair if it appears then close the program

===================================================

Copy and paste this log when finished.

PUP <== relates to potentially unwanted programs
https://blog.malwarebytes.com/101/2016/02/how-to-avoid-potentially-unwanted-programs/

It sounds like your pretty much on top of what you need to do to ensure safety while online.

Malwarebytes AdwCleaner

-------------------

Please download AdwCleaner (https://downloads.malwarebytes.com/file/adwcleaner) and save it to your Desktop
Close all open programs and browsers
Right click on the icon and select Run as administrator
Click Scan now
Allow the program to Quarantine what it finds except for Pre-installed applications if you would like to keep those or other entries you would like to keep
When completed click View Scan Log File
Copy and paste the contents in your reply
Click Skip Basic Repair if it appears then close the program

===================================================

Copy and paste this log when finished.

Hi Juliet, I wasn't sure anyone would respond. I used Spybot maybe 1-2 days after the first incident, having removed Win32.Downloader.Gen the first time. It was found again, which honestly kind of scared me. So I ran Spybot, Malwarebytes, and Avira again--it was only Spybot that found anything this time. But I decided, since the trojan had come back again, that I would take the initiative and upgrade to Windows 11, hoping that the trojan (Win32.Downloader.Gen) wouldn't be able to 'follow me to Windows 11'. This is because most of the posts I found on the internet re: this trojan were from back in 2013! I figured it was "too old" to be able to get into Windows 11. Whatever trojans these are. Today I upgrade to Windows 11, and have found nothing wrong since. I've restarted a few times and run Spybot twice, and have run MalwareBytes and Avira once each. Nothing bad. I'm going to try AdwCleaner now and see what happens, but it's looking pretty good at this moment. I'll paste the log here when I'm done. Thank you!!!!

# -------------------------------
# Malwarebytes AdwCleaner 8.3.1.0
# -------------------------------
# Build: 11-18-2021
# Database: 2022-03-15.3 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 04-11-2022
# Duration: 00:00:06
# OS: Windows 10 Home
# Scanned: 32050
# Detected: 15


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\dospop.com
PUP.Optional.Legacy HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\incredibar.com

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries found.

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.HPSupportAssistant Folder C:\Program Files (x86)\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Folder C:\ProgramData\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Folder C:\Users\Steve Hoffman\AppData\Roaming\HEWLETT-PACKARD\HP SUPPORT FRAMEWORK
Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Classes\CLSID\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSupportAssistant Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E76FD755-C1BA-4DCB-9F13-99BD91223ADE}
Preinstalled.HPSureConnect Folder C:\Program Files\HPCOMMRECOVERY
Preinstalled.HPSureConnect Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{6468C4A5-E47E-405F-B675-A70A70983EA6}
Preinstalled.HPTouchpointAnalyticsClient Folder C:\ProgramData\HP\HP TOUCHPOINT ANALYTICS CLIENT
Preinstalled.HPTouchpointAnalyticsClient Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{E5FB98E0-0784-44F0-8CEC-95CD4690C43F}



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########

Hi Juliet, It seems that you were maybe guessing that I picked up some adware somewhere, somehow. Like clicking on an ad and getting a trojan that way? How bad could that trojan have been? Would it have enabled the placer of the trojan to gain access to passwords, keystrokes, etc? Or to deliver a much worse exe?

Thank you again very much!

S.M.H.

By the way, my experience of the GOM DVD player was so-so. I played a DVD of New Amsterdam and couldn't get subtitles to work with it. (Having had to download a codec and also messed with audio to get the audio to play. So I just downloaded Microsoft's free DVD player instead, and it works adequately. I won't go back to VLC due to the chinese hacking concerns, though I can't imagine they'd target individuals, who knows? Anyway GOM had some bundleware, I think, that seemed maybe, maybe to be related to a PUP or two.

S.M.H.

I'm 20 min into a full scan with the MS Safety Scanner. 2 infected files found so far. Let's hope those are the bundled software which came with Windows 11, or previously quarantined files. We'll see.

It said that 10 files/items were infected. The results of the scan were listed this way:

VirTool:Win32/DefenderTamperingRestore ("malware") Removed.

When I click on the hyperlink, I got this page:

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=VirTool%3aWin32%2fDefenderTamperingRestore&product=13

It seems like a 'tampering' with configurations of Microsoft Defender. And a better configuration was restored. Or....???

Doing a little reading on this from 2019, it seems like it is a concern. Has Microsoft Safety Scanner gotten to the point where it can remove this by itself? In 2019, I saw experts recommending running Malwarebytes (with rootkit scan enabled), going into safe mode and doing a few other things. I'll cut and paste what I found below.

Thank you in advance for all your help!

SMH


Hi CN. I'm Greg, an installation specialist, 10 year Windows MVP, and Guardian Moderator here to help you.


"Run a full scan with the most powerful on-demand free scanner Malwarebytes:
https://www.malwarebytes.com/mwb-download/.

In the Scan Settings first set it to include scanning for Rootkits.

If necessary run it in Safe Mode with Networking, or Safe Mode accessed by one of these methods: https://www.digitalcitizen.life/4-ways-boot-saf...

Clean up anything found, restart PC and then run again until it comes up clean.

Check for any remainders in Settings > Apps > Apps & Features, and also in each of your browser's Extensions, Home Page settings, Search service or Add-On's as shown here: https://community.box.com/t5/How-to-Guides-for-...

Then check for damaged System Files: https://www.lifewire.com/how-to-use-sfc-scannow...
If it cannot repair them see Step 10 here to continue: http://answers.microsoft.com/en-us/windows/wiki...

If you want to keep Malwarebytes as an on-demand scanner then you can turn off its Real Time trial version in it's Settings > Account Details tab.

I hope this helps. Feel free to ask back any questions and let us know how it goes. I will keep working with you until it's resolved."

I decided to go ahead and do a malwarebytes scan, again, this time with 'scan for rootkits' enabled. No threat was detected at all.

I wonder if I should go ahead and do the other steps recommended by that other technician. I guess they wouldn't hurt. :-)

Your thoughts?

Thank you.

I looked into doing the rest of what the technician above recommended, and it's mostly seems to be outdated.

I await any further advice. I now have a new Windows 11 system running -- with the above removed. I guess I'll keep running malwarebytes, spybot, and avira, as well as ms safety scanner, on a daily basis for awhile. It's easy to run them.

Thank you!

Over what you posted in results of scans you posted, adware and pre-installed junk by the computer manufacturer.

Let's do an online scan and see what the results are.

Please download Emsisoft Emergency Kit (https://www.bleepingcomputer.com/download/emsisoft-emergency-kit/) and save it to your desktop.

Double-click on EmsisoftEmergencyKit.exe to install and create a shortcut on the desktop.
Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually C:\) as shown here (http://deeprybka.trojaner-board.de/bausteine/emsisoft/1.png).
After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
http://i.imgur.com/rxYDlQ1.png

When asked to run an online update, click Yes.
http://i.imgur.com/dQaKPnk.png

When the update is finished, click the Back to Security Status link in the left corner.
On the main screen click the Scan PC button.
Select Smart Scan, then click the Scan button.
When the scan is finished, click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
http://i.imgur.com/g5ojhHp.png

Click the View Report button and in the Reports window double-click on the most recent log. Logs are named as follows: a2scan_Date-Time.txt (YYMODY) and saved to C:\EEK\bin\Reports\.
Alternatively you can click Export and save the log to your Desktop, then open by double-clicking on it.
Copy and paste the contents of that logfile in your next reply.

Emsisoft Emergency Kit - Version 2022.1
Last update: 4/12/2022 12:15:30 PM
My own DESKTOP-VNQB6MV\Steve Hoffman
DESKTOP-VNQB6MV
Windows 10x64

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: ON
Scan archives: OFF
Scan mail archives: OFF
ADS Scan: ON
Direct disk access: OFF

Scan start: 4/12/2022 12:16:54 PM

Scanned 83296
Found 0

Scan end: 4/12/2022 12:18:12 PM
Scan time: 0:01:18

Hi Juliet,

At the end of the Emsisoft scan, it prompted me to install something -- Emsisoft protection of some kind? I'm sorry I don't remember exactly. It was like "please let us protect you" from ransomware, etc., etc., etc. They've updated it all (it looked different than what you pasted in a previous message). I'd be glad to install their protector -- but will it conflict with my antivirus or firewall or anything else? I don't have malwarebytes operating continuously, just do scans. Same with spybot. It's only Avira and Windows Defender firewall that are constantly going. Oh, and I do have Spybot Immunization going, so there's that that seems to be constantly running.

Thank you!

Hi, I did a little more research. Went on the Emsisoft website. It looks like "protection" that is ongoing with them would cost $ after a 30-day trial. So it looks like their free option, like malwarebytes', is to not provide real-time protection, but rather to provide a second opinion, their 'emergency kit', for remediation. And since we have Spybot immunization running I'm guessing we have this covered. This didn't even want me to download the Emsisoft scanner, by the way. It said that bleepingcomputer's connection was not secured, and the EEK kit could be tampered with. But I took that plunge/risk. :-)

Because I see bleepingcomputer articles on hacking regularly -- they seem like a star in this field.

Thank you again!

I think it was spybot immunization that wanted me to not download the EEK from bleeping computer.

But I did allow it, obviously.

S.H.

Emisoft has a trial protection option and at this time it is not necessary
Tell me what the computer is doing now?

Spybot Immujnization is making it harder for me to browse "freely", but this is probably a good thing. Computer has no symptoms.

I did a Spybot scan and found nothing major. Will do Malwarebytes, Avira, and MS Safety Scanner scans later today. Also Emsisoft again. To see if anything has returned.

Spybot Immujnization is making it harder for me to browse "freely", but this is probably a good thing. Computer has no symptoms.

I did a Spybot scan and found nothing major. Will do Malwarebytes, Avira, and MS Safety Scanner scans later today. Also Emsisoft again. To see if anything has returned.

Okay
If there are no symptoms and scans are clean you should be good to go.

I really appreciate your help! I'll let you know if any scans turn up something bad. Will run all of them today, including a full Microsoft Safety Scanner.

Thank you!!

Your welcome

Interesting...as it was scanning the computer, I could see that "9 files were infected". However, the results said that there were no threats of any kind. So it could be what you had said before: bloatware, or manufacturer-installed bundleware, etc., that was detected but then later deemed by the scanner to be harmless.

Looking good! Now I'll run Emsisoft once more and be done.

SH

Interesting...as it was scanning the computer, I could see that "9 files were infected". However, the results said that there were no threats of any kind. So it could be what you had said before: bloatware, or manufacturer-installed bundleware, etc., that was detected but then later deemed by the scanner to be harmless.

Looking good! Now I'll run Emsisoft once more and be done.

SH

It's clean! Looking good.

Thank you again, Juliet!

Use this tool to remove quarantined items:

Please download KpRm (https://toolslib.net/downloads/viewdownload/951-kprm) by Kernel-panik and save to your Desktop.

Click on KpRm.exe to run the tool.


Vista/Windows 7/8/10 users right-click and select Run As Administrator (http://windows.microsoft.com/en-US/windows7/How-do-I-run-an-application-once-with-a-full-administrator-access-token).

Put a check mark next to these items:


- Delete tools
- Delete now
Click the "Run" button.
When the tool has finished, it will create and open a log report and delete itself.



Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) y quietman7, MVP

Use this tool to remove quarantined items:

Please download KpRm (https://toolslib.net/downloads/viewdownload/951-kprm) by Kernel-panik and save to your Desktop.

Click on KpRm.exe to run the tool.


Vista/Windows 7/8/10 users right-click and select Run As Administrator (http://windows.microsoft.com/en-US/windows7/How-do-I-run-an-application-once-with-a-full-administrator-access-token).

Put a check mark next to these items:


- Delete tools
- Delete now
Click the "Run" button.
When the tool has finished, it will create and open a log report and delete itself.



Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) y quietman7, MVP


Hi Juliet, I keep reading about Kaspersky, and potential problems with Russian hacking. This makes me leery of using Kernel panik, which looks to be made by Kaspersky. Do you have any insights on this? thank you.

Hi Juliet, I keep reading about Kaspersky, and potential problems with Russian hacking. This makes me leery of using Kernel panik, which looks to be made by Kaspersky. Do you have any insights on this? thank you.

Listed in my post #23, good tips to help in staying safe.

The best tool to computer safety sits behind the keyboard. Knowledge and computer education should be a requirement to buying or using a computer and actually now a cell phone.
It's true, these are trying times and it might get worse before it gets better.

When it comes to decisions on using different brands of antivirus software, I've got to leave that to the individual. If/when I make comments on different ones it looks as if I'm plugging or campaigning for one or another, I don't want to be called out on that subject of which a law suit can occur and has.
Research your choice, make many attempts to find out as much as you can.

Some people prefer free versions over paid for security, I think as long as I've been on a computer that has been the world wide question.

Listed in my post #23, good tips to help in staying safe.

The best tool to computer safety sits behind the keyboard. Knowledge and computer education should be a requirement to buying or using a computer and actually now a cell phone.
It's true, these are trying times and it might get worse before it gets better.

When it comes to decisions on using different brands of antivirus software, I've got to leave that to the individual. If/when I make comments on different ones it looks as if I'm plugging or campaigning for one or another, I don't want to be called out on that subject of which a law suit can occur and has.
Research your choice, make many attempts to find out as much as you can.

Some people prefer free versions over paid for security, I think as long as I've been on a computer that has been the world wide question.


All good to know. Thanks again! I'm going to refrain from using Kaspersky's tools for now, but I think I'm malware/virus/spyware free.... if there's something similar to Kernel-panik that I can use I'd be glad to use that.

Thank you.

Are you having a specific problem with your computer that you would need help with system errors?

Glad we could help. http://i.imgur.com/SakDYGv.gif
Since this issue appears resolved ... this Topic is closed.