Malwarebytes detects Trojan.Ransom.HT in Wordpad on new PC

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Skinno, Feb 17, 2015.

  1. Skinno

    Skinno Private E-2

    Hello Geeks,
    Having had my last trusty, old Win7 PC die on me last week, I bought a brand new one last weekend and have been finding my way (thanks to my Son) around Windows 8.1.
    All seemed fine until just now when I was browsing and attempted to open a document in Wordpad. Malwarebytes Pro flagged it up as containing a virus:
    Trojan.Ransom.HT (see enclosed screenshot).
    and now when I attempt to open Wordpad it says 'unable to create new document'.
    This is annoying as I need to open some documents in my Dropbox account but can't.
    I am wondering if this is a false-positive.
    As mentioned, the PC is new and only me and my Son have used it since I bought it so I am a little confused as to why it's flagging up a virus already.
    I'm also wondering if it is possible to download and reinstall Wordpad from somewhere in order for me to access the things I need to.
    Any help will be greatly appreciated.
    Kind regards:
    Skinno
     

    Attached Files:

  2. Skinno

    Skinno Private E-2

    P.S.
    Here is another screenshot from Malwarebytes, re: the detection.
    Skinno
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you really picked up one of these ransom infections and it took hold, you will have to reinstall. There is no fix other than that.

    It could just be that you quarantined your wordpad.exe program.

    But to really know more you should run thru the below.

    READ & RUN ME FIRST. Malware Removal Guide

    and attach the requested logs when you finish these instructions.
     
  4. Skinno

    Skinno Private E-2

    Hi Chaslang,
    Thanks for the reply. Here are the logs as requested.
    The RogueKiller didn't save a log to my desktop so I ran it twice just in case. I then realised that the logs had been saved in a Rogue Killer folder so I have enclosed them both.
    I have also enclosed 2 Mbam logs - one from early this morning when the detection popped up and the most recent one.
    Being new to Windows 8.1 I am not sure whether the UAC was fully 'off'. I did as requested and moved the (slider) level to 'Never Notify' but I noticed on the Hitman Pro log that it states:
    UAC . . . . . . . . . : Enabled.
    Is this OK?
    I'm hoping that I am virus-free but I'm guessing not due to the original virus detection pop-up and the automatic disabling of my Wordpad program.
    Regards:
    Skinno
     

    Attached Files:

  5. Skinno

    Skinno Private E-2

    P.S.
    And here are the Hitman Pro and MGLogs.
    Thanks:
    S
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to update Malwarebytes to the most recent database. There were false detection issues as noted in the below link:

    https://forums.malwarebytes.org/index.php?/topic/164962-file-detecion-for-wordpad/


    You just have a little junkware to cleanup so run the below now.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.

    Are you having anymore problems?
     
  7. Skinno

    Skinno Private E-2

    Hi Chaslang,
    Thanks for the reply.
    I read the Malwarebytes link that you posted. My Malwarebytes Pro said that the virus definitions are up to date. Does this mean that I can now 'restore' the Wordpad file that's still in quarantine and that it will allow me to use Wordpad again?

    Also, should I now change the UAC slider (that you previously requested I changed) back from 'Never Notify'? Which is the best setting for this?

    I'm not having any problems except for not being able to use Wordpad. Hope fully this will be OK if I am able to restore it. Once I have been given the go-ahead to do this then I will let you know if it works again.

    Here is the Junkware Removal Tool Log.
    Many thanks:
    S
     

    Attached Files:

    • JRT.txt
      File size:
      1.2 KB
      Views:
      2
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Yes you can restore the file and see if the solves your problem with Wordpad being missing.
     
  9. Skinno

    Skinno Private E-2

    Hi Chaslang,
    All seems to be fine and Wordpad is working again after restoring it.
    What I have now noticed is that there are now 3 items on my desktop that weren't there before. All are 'greyed-out' which I guess suggests they're hidden files.
    One is 'Thumbs' and the other two are named 'Desktop'.
    When opening the Desktop ones, they have the following info in them:

    One has this:

    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799
    [LocalizedFileNames]
    WildTangent Games App - acer.lnk=@C:\PROGRA~2\WildTangent Games\Touchpoints\acer\MUILink.exe,-105
    Intel(R) HD Graphics Control Panel.lnk=@C:\PROGRA~2\Intel\INTEL(~1\UNINST~1\Setup.exe,-1169
    CyberLink PowerDVD 12.lnk=@c:\PROGRA~2\CYBERL~1\POWERD~1\Common\MUI\PDVDEN~1.DLL,-544

    The Other one has this:
    [.ShellClassInfo]
    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769
    IconResource=%SystemRoot%\system32\imageres.dll,-183

    I'm wondering why these are there and can I delete them?
    Thanks:
    Skinno
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    They are just part of Window's hidden files that you never had seen before because they were hidden before running the READ & RUN ME. When you complete the below instructions, they should be rehidden.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  11. Skinno

    Skinno Private E-2

    Hi Chaslang,
    Many thanks for the info.
    I have done as you requested in the list. I didn't bother to download Defogger as I don't (knowingly) have Disk Emulation software on this new PC.
    I didn't see HijackThis when trying to remove any of the downloaded programs. In fact, none of the programs were visible (in my Control Panel\Programs\Programs and Features) to uninstall, except for MBam, which I'm keeping.
    I have disabled and re-enabled System Restore.

    I am currently running Avast! for protection alongside Malwarebytes Pro and always use CCleaner.
    As mentioned before, this is a new PC. I just checked the Java link in your Malware Tips page and clicked the check-link. Apparently it appears I may not have Java installed and offered me an update:
    "Recommended Version 8 Update 31 (filesize: 624 KB)".

    There is nothing Java-related in my add/remove programs or any that is listed in the 'uninstall old versions' post either. Should I install it? Only, I recently read somewhere that Java shouldn't be installed any more on new PCs.
    Also, should I install Autorun Eater 2.6 or is that unecessary?
    I just realised that I had my folder settings to 'view hidden items' so I'm guessing that's why I saw the Desktop files. Theyve now gone as I changed folder settings back to hidden.
    Can I now delete the MGTools folder and its contents?
    Oh, and big thanks for all your help, once again. It's much appreciated here.
    Thanks:
    S
     
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    You don't have to install Java if you have been getting by without it. Those instructions are for people who have it already to make sure they are updated to current versions.

    I believe that Autorun Eater does not support Win 8.x so no.

    Step 5 of my final instructions should have removed this. If your protection software was enabled, it could have blocked it.
     
  13. Skinno

    Skinno Private E-2

    Hi Chaslang,
    Thanks for the reply.

    I did as mentioned in part 5:

    "Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures."

    ....but it didn't remove anything, so, I tried again but instead of "Right Click and Run As Administrator ", I just double-clicked the MGclean.bat file and it worked.

    Maybe it's worth noting for future reference that this is the option that works with Windows 8.1?
    Many thanks, for all your help:
    Skinno
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks! Actually it should have worked both ways and Run As Admin is typically required. After your message, I tooked a look at this and was trying to figure out what was causing this and I have determined there is an issue in Win 8 that causes a problem in the final stage of MGclean.bat where the C:\MGtools folder is removed. All the other tools and temp files were probably removed okay though. The next version of MGtools should have this fixed. I may be able to release this new version this weekend.
     
  15. Skinno

    Skinno Private E-2

    Thanks for all the help Chaslang. Much appreciated.
    Keep up the good work.
    Skinno :)
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Surf safely!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds