Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ISP has notified me that my computer may have a virus


  • Please log in to reply
5 replies to this topic

#1 shmish

shmish

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 01 April 2018 - 07:00 PM

Hello,

 

My ISP, Telus, has notified me that one of my computers in our house may be infected with a virus.  The email I received from them is legit, it's not a phishing scam.  I hope someone can offer advice on what my next step should be to see if there is infection on either of my two computers.

 

Both computers are running Windows 10 Pro, v1709.  I have Webroot SecureAnywhere installed on both computers.  My modem/router has a firewall enabled on it.

 

I have not done any scans with extra software on this computer yet.

 

The email from Telus is as follows:

 

We are writing to inform you that TELUS has received reports alleging that your TELUS Internet Services account has been used to scan or attempt to gain unauthorized access to another computer. If you are unaware of this type of activity coming from your account, your computer may be infected with a virus or may have some other security problems which could account for this activity.



Please note such activities violate the TELUS Internet Services Acceptable Use Policy (at http://www.telus.com/aup) and the TELUS Internet Services Account Agreement (at http://telus.com/content/internet/high-speed/service-terms.jsp), under which TELUS provides service to its customers, and such violation may lead to a suspension or termination of the TELUS Internet Services Account. As the Services account holder, you are solely responsible and liable for any and all activities that occur under your account including, without limitation, all activities of any sub-account holders.



To check your system for compromises and learn how to help protect yourself from computer viruses the following information may prove helpful:



***Step One: Scan & Clean Your Computer


Please scan all computers using the internet connection with one of the following tools. If nothing is detected or removed, please scan again using another tool.



Malwarebytes: https://www.malwarebytes.org/antimalware/ * (Microsoft Windows XP, Vista, 7, 8, 8.1. and 10)

Trend Micro HouseCall: http://housecall.trendmicro.com/ * (Windows XP, Vista, Windows, Windows 8, 8.1. and 10) )

HitmanPro: https://www.hitmanpro.com/en-us/hmp.aspx * (Windows XP, Vista, 2003, 2008, Windows 7, Windows 8, 8.1. and 10) )

F-Secure Online scanner: http://www.f-secure.com/en/web/home_global/online-scanner * (Windows Vista, 7 and 8, 8.1. and 10) )

Sophos: http://www.sophos.com/VirusRemoval * (Windows XP (SP2) and above)
<br

NOTE: Run the above scans on the full scan settings rather than the quick settings



**Step Two: Secure Your Wireless Internet Connection


If you are using a router with wireless capabilities, ensure it is configured securely. An unsecured router can allow anyone within its range to use your connection without your knowledge. If you have a router supplied by TELUS, please contact our helpdesk at 310 TECH (8324). They can assist in securing your wireless connection.



*Step Three: Secure Your Windows and Applications

IMPORTANT: Malware infections gain access into systems through security vulnerabilities found in out of date applications. Scanning with the recommended removal tools can correct initial infection problem, but if the underlying vulnerability is not addressed, the system can become re-infected.


Java: http://java.com/ *

Adobe Reader: http://get.adobe.com/reader/ *

Adobe Flash: http://get.adobe.com/flashplayer/ *

Critical Windows Updates: www.windowsupdate.com http://www.windowsupdate.com *


An excellent program called Secunia PSI offers a free software inspector that detects vulnerable and out of date programs and assists in patching and downloading the most recent versions. It can be found at this link: http://secunia.com/vulnerability_scanning/personal/ *



Should you require any assistance with virus detection and removal, we are offering our Tech Support Plus service to help you resolve these issues. Our Tech Support Plus team is a fee based support department that specializes in virus and spyware removal. You can view their list of services and contact details on http://www.telus.com/techsupportplus




Internet Abuse Team
TELUS Communications
Email: Abuse@telus.com


Please include the original email in any replies



* These links are provided for your convenience and general reference only and TELUS does not endorse, control, or make any representations, warranties or guarantees concerning the content of such web sites.




The following ip address was assigned to your connection. Suspicious communications were detected on the line.

incident details:
IP: 50.92.223.182
timestamp: 15/MAR/18 05:22:01 PM GMT
threat: 23
source: atttack


IAT reference number: 15837417

 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:14 AM

Posted 01 April 2018 - 07:42 PM

I saw similar from another ISP. It was determined that ISP was attempting to charge extra for assistance...a monthly charge.

It was simply a scam.

 

I see what may be a similar attempt.

This: Should you require any assistance with virus detection and removal, we are offering our Tech Support Plus service to help you resolve these issues. Our Tech Support Plus team is a fee based support department that specializes in virus and spyware removal. You can view their list of services and contact details on http://www.telus.com/techsupportplus

Do you know how much they want to charge you or if they want to add a monthly charge?

 

Use the programs below to clean, remove adware and remove malware.

 

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 shmish

shmish
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 02 April 2018 - 02:36 PM

Below are the results from the scans.  I made a mistake with Eset in that I didn't export the log right away, and apparently you only get one chance to do this.  Eset found three threats, one of which was Adaware so I didn't quarantine it.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/2/18
Scan Time: 10:20 AM
Log File: 156e2510-369a-11e8-bc06-f0def1865e17.json
Administrator: Yes

-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4586
License: Trial

-System Information-
OS: Windows 10 (Build 16299.309)
CPU: x64
File System: NTFS
User: DESKTOP-LENOVO\dougw

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 332054
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 4 min, 38 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
PUP.Optional.BundleInstaller.Generic, C:\USERS\DOUGW\DOWNLOADS\FREEFILESYNC_9.9_WINDOWS_SETUP.EXE, Quarantined, [6345], [390493],1.0.4586

Physical Sector: 0
(No malicious items detected)





(end)

Adaware

No malicious folders found.

***** [ Files ] *****

PUP.Optional.Legacy, C:\Users\dougw\Desktop\guru.lnk


***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

No malicious registry entries found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

PUP.Optional.Legacy, Plugin found: DuckDuckGo for Chrome -
PUP.Optional.Legacy, Plugin found: Bitly | Unleash the power of the link -

/!\ Please Reset the Chrome Synchronization before cleaning the Chrome Preferences: https://support.google.com/chrome/answer/3097271


*************************



########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########


ESET: two threat founds:

Target: C:\Users\dougw\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\4\new way-bills_Thompson and Sons_MabeI Lockman[167].zip

Threat name: Win32/TrojanDownloader.Waski.Z trojan

Action:

 

Target: C:\Users\dougw\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\SO\4\new way- bills_Thompson and Sons_MabeI Lockman[1467] .zip

Threat name: Win32/TrojanDownIoader.Waski.Z trojan

Action:



#4 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:14 AM

Posted 02 April 2018 - 03:23 PM

Rerun AdwCleaner. When the scan finishes be sure to click on Clean.

 

Did you allow Eset to delete/ quarantine what it found? If not, you need to do that.

 

Last scan:

 

  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 shmish

shmish
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 02 April 2018 - 09:36 PM

I did quarantine the items in ESET. I ran it again to be sure, and I should correct my post above.  ESET sees the ccleaner installer file as a potential threat. I did not quarantine it.

 

In order to run SecurityCheck, I had to disable Webroot.

 

SecurityCheck by glax24 & Severnyj v.1.4.0.53 [27.10.17]
WebSite: www.safezone.cc
DateLog: 02.04.2018 19:33:00
Path starting: C:\Users\dougw\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: dougw
VersionXML: 4.90is-18.03.2018
___________________________________________________________________________

Windows 10(6.3.16299) (x64) Professional Release: 1709 Lang: English(0409)
Installation date OS: 18.12.2017 02:45:28
LicenseStatus: Office 16, Office16O365ProPlusR_Subscription1 edition Timebased activation will expire :32435 minutes
LicenseStatus: Windows®, Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [222.1 Gb] Used: [181.8 Gb] Free: [40.3 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.309.16299.0 [+]
User Account Control enabled (Level 3)
Windows Update (wuauserv) - The service has stopped
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Webroot SecureAnywhere (disabled and out of date)
Windows Defender (disabled and up to date)
Malwarebytes (disabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Webroot SecureAnywhere (disabled and out of date)
Malwarebytes (disabled and up to date)
Windows Defender (disabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Webroot SecureAnywhere v.9.0.19.43
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes version 3.4.5.2467 v.3.4.5.2467
--------------------------- [ OtherUtilities ] ----------------------------
7-Zip 17.01 beta (x64) v.17.01 beta Warning! Download Update
Uninstall old version and install new one.
VLC media player v.2.2.8 Warning! Download Update
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 151 v.8.0.1510.12 Warning! Download Update
Uninstall old version and install new one (jre-8u162-windows-i586.exe).
--------------------------- [ AdobeProduction ] ---------------------------
Adobe AIR v.1.5.3.9120 Warning! Download Update
Adobe Flash Player 28 NPAPI v.28.0.0.137 Warning! Download Update
Adobe Acrobat 9.5.5 - CPSID_83708 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat DC.
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 59.0.2 (x64 en-US) v.59.0.2 [+]
Google Chrome v.65.0.3325.181 [+]
----------------------------- [ EmailClient ] -----------------------------
Mozilla Thunderbird 52.6.0 (x86 en-US) v.52.6.0
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files\Mozilla Firefox\firefox.exe v.59.0.2.6656
C:\Program Files\internet explorer\iexplore.exe v.11.0.16299.15
C:\Program Files (x86)\Internet Explorer\iexplore.exe v.11.0.16299.15
------------------ [ AntivirusFirewallProcessServices ] -------------------
Malwarebytes Service (MBAMService) - The service has stopped
C:\Program Files\Windows Defender\MSASCuiL.exe v.4.12.16299.15
Windows Defender Antivirus Service (WinDefend) - The service has stopped
Windows Defender Antivirus Network Inspection Service (WdNisSvc) - The service has stopped
----------------------------- [ End of Log ] ------------------------------
 

 

Log from 2nd run of AdwCleaner

_________________________________________________________

# AdwCleaner 7.0.8.0 - Logfile created on Tue Apr 03 00:39:57 2018
# Updated on 2018/08/02 by Malwarebytes
# Running on Windows 10 Pro (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

No malicious registry entries deleted.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

Plugin deleted: DuckDuckGo for Chrome -
Plugin deleted: Bitly | Unleash the power of the link -


*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 



#6 buddy215

buddy215

  • Moderator
  • 13,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:14 AM

Posted 03 April 2018 - 05:09 AM

Most users don't need Java. Uninstall the old one...Java 8 Update 151 v.8.0.1510.12

Uninstall Adobe AIR v.1.5.3.9120,  Adobe Acrobat 9.5.5 - CPSID_83708

 

Eset would of just quarantined the likely installer of Avast or a Google toolbar bundled with the CCleaner installer.

You can delete the installer since you have CCleaner installed.

 

I think that email was simply trying to get you to purchase the Tech Support Plus program. Cox does the same thing.

 

If you are not experiencing a sloooow computer, popup ads, search redirects, etc.....then I think you are good to go.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users