All Activity

Hi, I ran an infected executable and now my system is compromised. I'm writing this from Safe Mode with Networking. I began following some of the steps in https://forums.malwarebytes.com/topic/301781-windows-update-registry-is-missing-windows-defender-disabled/ but will stop self-directed tasks now. As soon as I believed my system was compromised, I booted into safe mode with networking On reboot, I got a popup that said ctfmon.exe was detected to have "an overrun of a stack-based buffer". The popup can be closed temporarily but will reappear within a few seconds. I ran MBAM and Avast but no detection. I deleted the infected executable and went to google for assistance I attempted to open Windows Defender but was met with a black screen I attempted to open Windows Update but was met with "Something went wrong. Try to reopen Settings later." I downloaded ran the Microsoft Safety Scanner at full scan in administrator mode; it completed and removed Trojan:Win64/TurtleLoader.SVR and HackTool:Win32/crack Rebooted into safe mode, ctfmon.exe error still occurred, defender and update still down I found the link above, downloaded the Malwarebytes Support Tool, and attempted to gather logs in admin mode. Process completed, but no file was ever placed on my desktop. I downloaded and ran Farbar's Service Scanner in admin mode. The results are attached. I attempted to read the results with Notepad, but was "this application cannot be started". I was also unable to open notepad directly. I was, however, able to open it with notepad++ I downloaded and ran SecurityCheck in admin mode. The text file that was supposed to pop up was blocked (since notepad cannot be opened). The results are attached. I have posted here and stopped all other actions. FSS.txt SecurityCheck.txt

@SSG_Kitami Have you restarted the computer yet?

When I went to the location listed in the detection, no DLL could be found, even with show hidden files and folders enabled.

I see you gotta wear shorts to do that leg press!

Use play mode to exclude the program from showing the blocks. Turn Play Mode On or Off Open Malwarebytes for Windows. Click Settings, then click the Notifications tab. Scroll down to the Play Mode section. Suspend notifications and updates when selected apps are open toggle is On by default. Switch off the toggle if you wish to always see Malwarebytes notifications. You can add new applications to the Play Mode list to hide Malwarebytes notifications while using the app. Learn how to manage applications for the Play Mode feature below. Manage Applications for Play Mode Click Add in the bottom right of the Play Mode section. Select the application and click Open. The application gets added to the Play Mode list. To delete an application from the list, hover the cursor over the application name, and click the Delete icon that appears Worst case. Not recommended. Access a blocked application by adding it to the Allow List To prevent Malwarebytes for Windows from blocking an application you trust, add the application executable. Click Allow an application to connect to the Internet. To find the application, click Browse. Select the application executable you want to add, then click Open. Click Done to confirm your changes.

How do you create an exception for this? Just adding the launcher? My wife was having an issue with this.

Thank you for the log. It ran well and also found and fixed some other issues with Windows Windows Resource Protection found corrupt files and successfully repaired them. Please run the following now Please run the following ESET Online Scanner and perform a Full Scan Click the following link to save the installer for ESET Online Scanner https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get started. When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue When prompted for scan type, Click on the Full Scan button Enable ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click the Start scan button. Have patience. The entire process may take a few hours or more. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log and give it a name and location you remember. If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files” ( in blue, at the bottom). Press Continue when all done. You should click to turn off the offer for “periodic scanning”. Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program. Note: If you do need to do a File Restore from ESET please follow the directions below [KB2915] Restore files quarantined by the ESET Online Scanner version 3 https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner Please attach the ESET scan log you saved at the end to your next reply

Fixlog.txt

Hi, Thanks for submitting the logs. I took a look at them. Unfortunately this case cannot be whitelisted by a file or a path. The best that can be done is to turn off Excel as a protected application. This way you do not have to turn off the entire exploit protection layer. I hope that helps.

@AtribuneFYI

Thank you for the update.

do you have the file? Thanks.

We're glad that we were able to assist you. The following information will help you to keep your computer and data safer as well as improve your overall privacy Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site. https://www.howtogeek.com/780233/best-password-manager/ Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/ Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download https://patchmypc.com/about-us Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2 Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security Malwarebytes Browser Guard Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ uBlock Origin Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin Imagine a world without malware. We do https://www.malwarebytes.com/why-upgrading-matters-ceo Cybersecurity basics & protection Everything you need to know about cybercrime https://www.malwarebytes.com/cybersecurity Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog https://blog.malwarebytes.com/ Hopefully, we've been able to assist you with correcting your system issues. Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you

Best of luck Take care

Ok I have it installed, I'll keep you posted if the user runs into it again. It had crashed again at 4/18/2024 @ 6:45am, but that was before I did this. So I'll track this for the next week or so and let you know if it happens again. Log Name: Application Source: Application Error Date: 4/18/2024 6:45:46 AM Event ID: 1000 Task Category: Application Crashing Events Level: Error Keywords: User: USERNAME-PC\username Computer: USERNAME-PC Description: Faulting application name: OUTLOOK.EXE, version: 16.0.17425.20176, time stamp: 0x6610b31c Faulting module name: mbae64.dll, version: 1.13.4.585, time stamp: 0x65a15430 Exception code: 0xc0000005 Fault offset: 0x000000000002329c Faulting process id: 0x0x3E54 Faulting application start time: 0x0x1DA917D8278103D Faulting application path: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE Faulting module path: C:\Program Files\Malwarebytes\Anti-Malware\mbae64.dll Report Id: b1dcb0aa-4288-43fe-ae0b-3066788ff7e2 Faulting package full name: Faulting package-relative application ID: Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" Guid="{a0e9b465-b939-57d7-b27d-95d8e925ff57}" /> <EventID>1000</EventID> <Version>0</Version> <Level>2</Level> <Task>100</Task> <Opcode>0</Opcode> <Keywords>0x8000000000000000</Keywords> <TimeCreated SystemTime="2024-04-18T10:45:46.2864047Z" /> <EventRecordID>130016</EventRecordID> <Correlation /> <Execution ProcessID="17544" ThreadID="2544" /> <Channel>Application</Channel> <Computer>USERNAME-PC</Computer> <Security UserID="S-1-5-21-...-1001" /> </System> <EventData> <Data Name="AppName">OUTLOOK.EXE</Data> <Data Name="AppVersion">16.0.17425.20176</Data> <Data Name="AppTimeStamp">6610b31c</Data> <Data Name="ModuleName">mbae64.dll</Data> <Data Name="ModuleVersion">1.13.4.585</Data> <Data Name="ModuleTimeStamp">65a15430</Data> <Data Name="ExceptionCode">c0000005</Data> <Data Name="FaultingOffset">000000000002329c</Data> <Data Name="ProcessId">0x3e54</Data> <Data Name="ProcessCreationTime">0x1da917d8278103d</Data> <Data Name="AppPath">C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE</Data> <Data Name="ModulePath">C:\Program Files\Malwarebytes\Anti-Malware\mbae64.dll</Data> <Data Name="IntegratorReportId">b1dcb0aa-4288-43fe-ae0b-3066788ff7e2</Data> <Data Name="PackageFullName"> </Data> <Data Name="PackageRelativeAppId"> </Data> </EventData> </Event>

Nope, not frail, as we get older there are just aches and pains that were not there in our younger years. The frail ones probably don't go outside much at all

Guess I'll factory reset at this point. Thank you so much for all your help and advice. Your guidance was very appreciated.

That's some accomplishment! Gulp. Looks like I'm a "fragile old lady." But I don't see myself that way. One way to be around in a decade is to get more sleep

Hello @h-s7 and Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process Then follow each step in the order provided. Unless otherwise asked, please attach all logs Please make the following system changes: If you have not done so already - Enable System Protection and create a NEW System Restore Point Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions Please run the following scans: Click the following link and run a Scan with AdwCleaner Click the following link and run a Scan with Malwarebytes RESTART the computer Click the following link and run a Scan with Farbar Recovery Scan Tool Example image of where to click to attach files when posting your reply Thank you

Leg press like this

I suppose I can try to look up what this means, but I'd rather you tell me. My inability to get up when I'm down couldn't compare. Inactivity throughout the COVID years did me in. But I've been thinking about your comment all afternoon and see something right in front of my nose. Yes, when I go out, wander around and take photos it is a very enjoyable way to exercise, and although I can do the gym, or pool laps, nothing compares to being out with my camera. ☺️

Run the fix when you get home Or, back up your personal data and then do a CLEAN install of Windows Clean Install Windows 10 & 11 (2023) https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587 Also, please review the following topic Bypass Microsoft Online Account Creation during installation of Windows 11 https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/

That found and removed quite a bit. Please run the following now Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process [ 1 ] Please make the following system changes. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed. Disable-Fast-Startup Show-Hidden-Folders-Files-Extensions [ 2 ] I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on the Scan Options & select the FULL scan. Then start the scan. Have lots of patience. It may take several hours. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on the screen display. The only things that count are the End result at the end of the run. The scan will take several hours. Leave it alone. It will remove any other remaining threats as it goes along. Take a very long break, do your normal personal errands .....just do not use the computer during this scan. This is likely to run for many hours as previously mentioned ( depending on the number of files on your machine & the speed of the hardware.) The log is named MSERT.log and the log will be at C:\Windows\debug\msert.log Please attach that log with your next reply. It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Then it writes into the log on your computer what it found. Thank you

Given you had rootkit scanning enabled, that might be the reason since this reads usermode with kernelmode version and when a file is in use at the time, it might see a difference here. This doesn't mean it's a rootkit though. This might just happen when the file is in use. Sometimes this also gives unpredictable results as that engine works slightly different. This is exactly why rootkit scanning is disabled by default when you install Malwarebytes. Also because our current engines are powerful enough already to deal with rootkits even when rootkit scanning is disabled. Rootkit scanning is not enabled by default. You may want to disable that unless you think you have a rootkit infection. Rootkit scanning is really aggressive and does ignore some whitelisting which can result in false positives. If you decide to keep rootkit scanning on, just be aware of the possibility of false positives.

At this point since scanners cannot even complete scans I would recommend you back up your data and then reinstall Windows clean. Clean Install Windows 10 & 11 (2023) https://answers.microsoft.com/en-us/windows/forum/all/clean-install-windows-10-11-2023/1c426bdf-79b1-4d42-be93-17378d93e587 Also, please review the following topic Bypass Microsoft Online Account Creation during installation of Windows 11 https://forums.malwarebytes.com/topic/296613-bypass-microsoft-online-account-creation-during-installation-of-windows-11/