Virus detection

  • 2
  • Question
  • Updated 7 months ago
  • In Progress
Hi, I have bought a Maximum security license. It tells me that I have a brhost virus in my laptop. However, when i try to follow online guides to manually remove brhost, i could not find brhost in my task manager or programs. Please advice.
Photo of gundamex00

gundamex00

  • 170 Points 100 badge 2x thumb

Posted 7 months ago

  • 2
Photo of TM_Jean

TM_Jean

  • 3,020 Points 3k badge 2x thumb
Hi gundamex00 and welcome to the Community!

I would just like to verify if the notification came from Trend Micro. If so, please provide a screenshot of the security report for Security Threats by clicking the see more details. Refer to the link below on how to find the said report.

Using the Security Report feature of Trend Micro Security

If you are referring to a different notification about this virus, we would still appreciate if you can provide a screenshot of it so that we'd have an idea what it is about. 

I hope you'll be able to provide the needed info above so that we could help you further. Hoping to hear from you soon! :)

Trend Micro Home Users Community
Photo of gundamex00

gundamex00

  • 170 Points 100 badge 2x thumb


Hi, there is a screenshot, it's been bugging me since the notification keeps popping out. But it is always about the same issue.
Photo of TM_Victor

TM_Victor, Employee

  • 4,942 Points 4k badge 2x thumb
Hi gundamex00,

Can we ask you to click on "See more details" under viruses and post a screenshot of it for the action taken by the Trend Micro program?

You may also perform an additional scan using the Trend Micro Anti-Threat Toolkit.

We hope to hear from you soon.

Trend Micro Home Users Community
Photo of gundamex00

gundamex00

  • 170 Points 100 badge 2x thumb


Here's the screenshot.
Photo of Max Slo

Max Slo, Champion

  • 8,982 Points 5k badge 2x thumb
-I'm not a Trend Micro representative, but I like to give you some suggestion-

Oh wow,
that is a CryptoNight, so you are experiencing high CPU usage?
It is creating cryptocurrencing using your personal resources, CPU and electrical power...

Usually it is activated visiting specific websites, and I'm not sure if it is an installed crypto miner or it works only visiting these websites.

I think your Trend Micro solution was able to block it, as per your screenshot, anyway I suggest also:
- to use an adblock on your web browser to block maliciuos plugins in the web pages that activate cryptocurrency
- Activate Trend Micro web browser plugin, if not 
- set your web browser to its default settings to prevent malicious web istes to load by their self
- run a complete scan with your Trend Micro solution

At the moment, check at your CPU load to understand if the virus is active or not.
(Edited)
Photo of gundamex00

gundamex00

  • 170 Points 100 badge 2x thumb
I actually have done all of the above before. I don't recall having high CPU usage but i did tried a method, which is to end the process of a program called 'wscript.exe'. After ending it, Trend Micro stop giving me any more pop-ups. However, the pop-ups will occur every time i start up my laptop, until i end the 'wscript.exe' program.
Photo of Max Slo

Max Slo, Champion

  • 8,982 Points 5k badge 2x thumb
-I'm not a Trend Micro representative, but I like to give you some suggestion-

Yes, it is the exe used to 'do something' instructions, malicious or not. wscript is not malicoius by itself (if it is the original one, of course). 

Go to Task Manager, open Startup tab (something like ithis, i have not english OS).
Look at wscript that you are usually stopping. Right click and 'Open File Path'. 

What is the file path? And what is its size? 

You can perform a sfc /scannow with an Administrator CMD sesson to check and validate system files.
Photo of Max Slo

Max Slo, Champion

  • 8,982 Points 5k badge 2x thumb
I found this.

So, in my opinion, a previous infection (CryptoNight?) is using wscript (or a malicious version of it) to try to start a malicious VBS script. 

Try to run CMD as administrator and type SFC /SCANNOW

It will check if system files are legitim (including wscript), if not, it will try to restore them.

If it not solve, try the following, ignore step 2. 
(Edited)
Photo of TM_Yner

TM_Yner

  • 290 Points 250 badge 2x thumb
Hello gundamex00,

Base on the screenshot that you have sent, the threats that was detected by Trend Micro were removed already. I would like to ask if the pop-ups are still there?

Thank you and have a great day! :) 

Trend Micro Home Users Community
Photo of gundamex00

gundamex00

  • 170 Points 100 badge 2x thumb
The pop-ups are still there. Brhost keeps coming back and Trend Micro is always constantly removing it.
Photo of gundamex00

gundamex00

  • 170 Points 100 badge 2x thumb
Hello Max,

 I tried running CMD, but it says there is no problem.
 I disabled Window Script Host, but the problem still persists.
Photo of Max Slo

Max Slo, Champion

  • 8,982 Points 5k badge 2x thumb
-I'm not a Trend Micro representative, but I like to give you some suggestion-

OK check at following:
- Stop brhost service as usual via the task manager.
- Check in installed programs if there is somthing to unknown and deinstall it, if needed. 
- Check at your browser extension or add-ons , disabled them and remove if there is something unrecognized.

I think there is some browser extension (Firefox-Chrome) or Add-On (Explorer) that recalls brhost to its malicious activities.
May be also that some kind of malicious software is installed in your computer, so check carefully under installed programs in control panel to check for unrecognized softwares.

Can you disable brhost to run by disabling it in MSC sturtup programs: in Task Manager, locate the brhost in startup tab and before to stop it, right click and Disable. 

Scan also using HouseCall
(Edited)
Photo of TM_Jean

TM_Jean

  • 3,020 Points 3k badge 2x thumb

Hi gundamex00!

Thanks for all the suggested solutions, Max Slo. You may also refer to following troubleshooting steps below.

1.  Check for any Potentially Unwanted Application (PUA).

     a.  Type appwiz.cpl on the Run window and uninstall PUA.

     b.  Check Startup entries

          ○  Type msconfig on the Run window.

          ○  Click on Startup tab.

          ○  Disable malicious Startup item.

2.  Remove malicious add-on or rogue extensions from Browsers:

     ○  Internet Explorer

         a.  Click the "gear" icon (at the top right corner of Internet Explorer).

         b.  Choose "Manage Add-ons".

         c.  Look for any recently installed suspicious browser extensions, select them and click on "Remove".

    ○  Google Chrome

         a.  Click the Chrome menu icon (at the top right corner of Google Chrome).

         b.  Select "More tools" and click "Extensions".

         c.  Locate all recently installed suspicious browser add-ons, select these entries and click the trash can icon.

    ○  Mozilla Firefox

         a.  Click the Firefox menu  (at the top right corner of the main window).

         b.  Select "Add-ons".

         c.  Click "Extensions". In the window that opened, remove all recently installed suspicious browser plug-ins.

    ○  Microsoft Edge

         a.  Click the three horizontal dots icon (at the top right corner of Microsoft Edge), then choose "Extensions".

         b.  Look for any recently installed suspicious extensions, right click your mouse on these entries and click "Uninstall".

3.  End all running browser processes.
4.  Manually delete detected Coin Miner files.
5.  Reset Browser Settings. 


Trend Micro Home Users Community
    
(Edited)

This conversation is no longer open for comments or replies.