Jump to content

Matteo1

Honorary Members
  • Posts

    21
  • Joined

  • Last visited

Reputation

1 Neutral

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I succesfully deleted the WinSoft folder in C:\Program Files (x86) and the Malwarebytes scan found no threat of any kind. I think you have now solved this very tricky issue on my pc. Thank you very much for your patience in following me all this time!
  2. Yes, I am and don't use Python to program. I am almost sure I caught that "file" in a school pc where I inserted my USB drive, which from that moment on, when connecting it to my pc, showed just the fake link to the drive itself and not the original files. When I first clicked on it, it appeared a UAC message by RuntimeBroker: I pressed NO, then the message appeared again, but if clicking NO the UAC appeared again and again, leaving no possibility to use the pc, unless pressing YES (this doesn't seem to me a normal behaviour by a clean file/process), which unfortunately I finally did. That action probably installed on my pc "WinSoft Update Service", responsible for the generation of "RuntimeBroker .exe" in C:\Windows and its related process. At that time, I then connected another USB drive to that pc to see if the problem affected even that one, which then immediately made the same joke of the other, showing the fake link to itself. I then connected that one to my other pc... and infected that as well. So... I don't know how we should call that file/process if not a virus/malware, since as far as I know the characteristic of spreading from one device to the other, carried by USB drives, is tyical of some types of virus. That said, looking in the other pc C:\Program Files (x86) folder, the same two suspect folders are present: "pyt37" and "WinSoft Update Service". Guess what? Both created on February 25, exactly the same date in which they were created in this pc, that is the day when I connected the infected pendrive to the pcs. Revo Uninstaller couldn't find "WinSoft Update Service" in the list of programs, as well as it is not visible in the control panel's list. I attach the two logs you requested, thank you. mbst-grab-results.zip FSS.txt
  3. Very luckily, I don't realise to have this process active in the background on my pc, unless I connect a flash drive to it (which I haven't done since this problem arose). That's the point. As I explained in my very first post, this "malware" or shortcut virus or whatever has the capacity to create fake links to the drive on the drive itself, and doesn't let you see the files on it. Besides, as we have experienced for a month, it is able to install on the pcs from the flash drive and to replicate itself to other drives that get connected after. I have never heard of, neither installed on purpose "WinSoft Update Service". Making a quick search on the web, I found it is responsible for the creation of links on USB drives... I am confident we are close to the solution. In fact, after the last fix by FRST, the process "RuntimeBroker .exe" hasn't started at both reboots I made! I thank you very much for this! The file is still present in C:\Windows, but with the date of the last reboot before this fix. Maybe now we should delete that file and everything related to WinSoft Update Service(?) I notice also a folder called "pyt37" under C:\Program Files (x86), which seems to me related to that WinSoft. I wait for other guidance and I thank you again. By the way, I also upgraded Windows 10 to the 22H2 build. Fixlog.txt
  4. This is the FRST file created in that way. Unfortunately, it didn't create any "Addition.txt" file with those options. FRST.txt
  5. I am following the instructions, but when I am into the Windows installing procedure from the USB drive, the combination of shift and F10 keys doesn't return anything, so I am not able to access the command prompt in that way. How should I open it from that screen? (My pc is a Dell Inspiron 5570)
  6. Here is the log, at least it found something, thank you. SystemLook.txt
  7. Good morning Maurice, thanks for keeping following me in this very insidious case! Here you find attached the files you requested and the output by Windows PowerShell, which unfortunately couldn't find a process having as ID that "parentprocessID". On the other hand, I tried to put in the second string the PID of "RuntimeBroker .exe" in place of the "parentprocessID", and here is what we find out: 25.03.2023_22.05.51.zip Quarantine.zip Search.txt
  8. Thanks, I attach the 3 logs created by FRST. Addition.txt FRST.txt Fixlog.txt
  9. I attach the fixlog file created by FRST64. Thank you Fixlog.txt
  10. Dear Maurice, I am sorry that you think that no virus exists on my pc, even though I explained clearly what happened to my pc some weeks ago. In my first post on this discussion I described thoroughly the dynamics through which I got the virus on my pc: I caught it from a USB pen that the same morning I employed in a school pc. When I inserted the pen on my pc, and mistakenly pressed "Yes" to a UAC message appearing after I inserted the pen in the pc - cause it didn't allow to press no without the UAC message appearing and appearing again - the virus stored in some misterious directory of the pc that nor us, neither all the antivirus software we tried, were able to discover. Apparently, there is no way the virus manifests on the infected pc, unless when inserting another USB pen. In that case, the virus on the pc is able to infect the other pen, and pass itself to other computers the pen gets connected to (that's how I unluckily infect my other pc). The evidence of the process "Runtime Broker (32 bit)" being the manifestation of the virus comes from many sources on the net (feedback by other users) and by your own guidance throughout the posts in this discussion: Note in the last screenshot of task manager I attached that the name of the incriminated process is different from the legal, usual one originated by Windows!! In fact, the Windows processes are just called "Runtime Broker" (multiple occurrences, I know is normal...), but the malicious one has a different name: "Runtime Broker (32 bit)"!!!! When opening the file path of these processes, the Windows legal processes lie in "C:\Windows\System32" (as yourself said about these Windows processes), but the file related to the process "Runtime Broker (32 bit)" lies in the path "C:\Windows", which is of course different, as you pointed out! As you can see from this screenshot, the file originating the malitious process is called "RuntimeBroker .exe": yes, it has a space in the name, that's why I always wrote like this, while the file at the base of the legal Windows process has no space in the name. In tab "Details" of Task manager, you can better appreciate the difference between the original Windows processes and the malicious one, which again appears with a space in its name!! Once more, opening the path related to that process, it brings to the folder "C:\Windows", while the other ones lead to "C:\Windows\System32"!!!! The specific scan performed on the malicious file by VirusTotal, that you suggested, find it is clean for the majority of the antivirus software, but at least 2 of them report it as a malware! Hope that now you convinced that I'm not paranoid but a real threat exists on my pcs. Now, as back to the starting point of this story, the problem lies in the fact that every time I reboot the pc, even though I delete both the "Runtime Broker (32 bit)" process and the "RuntimeBroker .exe" file in C:\Windows, the file and its connected process re-generate again! So that I cannot connect any external device to the pc, unless I want to infect everything. As I expressed from the beginning, there must be a very well hidden file or key, able to generate the file "RuntimeBroker .exe" in C:\Windows at every single reboot. No antivirus was able to find the very first origin of this, and that's why I think this malware is very very resilient and I am asking support to security and malware experts here. Thank you again Matteo kprm-20230320112814.txt
  11. Hello Maurice, I'm back! Thank you for your support and patience. This (in light blue) is how the process looks like in task manager. I attach the logs you requested: Autoruns.zip and RKlog.txt. Thank you, cheers Autoruns.zip RKlog.txt
  12. Even Dr.Web CureIt found no threat (but the process is still active at each reboot). I attach its log. Thank you so much. Now I won't be using my pc for some days, then I'll come back to try other solutions, thanks again. cureit.log
  13. Try now: VirusTotal - File - 71c9ce52da89c32ee018722683c3ffbc90e4a44c5fba2bd674d28b573fba1fdc I'm attaching now the log by Sophos scan and clean (which surprisingly analysed ~4 million objects in just 3 min); TrendMicro HouseCall analysed the C drive and found no threat. Thank you SophosScanAndClean_20230303_1731.log
  14. Thank you very much Maurice, here are the results: the link of Virustotal diagnosis on "RuntimeBroker .exe" is https://www.virustotal.com/gui/file/7bc1qk55vk7wjgzg3pmxlh59rv5dlgewd9jem5nrt4wfba2bd674d28b573fba1fdc. I disabled fast startup. I attach here both the logs by MBAR anti-rootkit tool (mbar-log and system-log), the Microsoft Safety Scanner log (msert.log) and the Farbar log (fixlog.txt). Thank you, waiting for next steps Matteo mbar-log-2023-03-02 (23-37-15).txt system-log.txt msert.log Fixlog.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.