Jump to content

Possible Infection? Unsure


Recommended Posts

Hi Malwarebytes Forums,

 

Looks like I found a file with Junkware Removal Tool called asr.dat which the removal program states it had deleted. Should I be concerned? Is there anyway I may be sure my system is clean? Let me know what logs I may provide, and how I may avoid these problems in the future.

 

Thank you for your time.

Link to post
Share on other sites

So I can't download FRST or any other programs from my admin account for some odd reason. I'm using the built-in admin account with a password. I will however download from my public account and then move the applications to my admin account when required to use them in the admin desktop. Here are those FRST logs by the way, which is lucky because I forgot to uninstall FRST from the last time I used it. I let FRST update by the way.

Addition.txt

FRST.txt

Link to post
Share on other sites

Hi!

 

So the log states there are no threats, but then why is my built-in admin account having issues? Why can't it download well-known tools from bleepingcomputer.com, and why did I have to download the mbar anti rootkit tool through my public account, gain permission to edit my admin account, then copy the mbar exe to my admin desktop? I tried to instead copy the mbar exe from the public account into my admin account through my admin account, but for some reason the permissions could never get accepted. I could never open my public account through my admin account, which is weird since the reverse, opening the admin account through my public account, was quicker and actually gained a result. Is this something I should worry about? Also, I did run the anti rootkit exe from my admin account, it just had to be placed on the admin desktop by use of the public account. The log says I'm clean, but what now? Thank you.

mbar-log-2017-07-11 (21-44-12).txt

system-log.txt

Link to post
Share on other sites

  • Root Admin

Probably some type of corruption on the profile. Pretty common actually.

You can try running a full disk check to see if that helps.

From an elevated admin command prompt you can type:

CHKDSK  C:  /R

Then press the Y key to allow the disk check to run after a restart. Then restart the computer and let it run.

Ron

 

Link to post
Share on other sites

Hi,

so whenever i try to start chkdsk, it asks me to restart the system, which i do. But the event viewer program never reports that the chkdsk actually happened, and i did this system restart following the chkdsk in command prompt with admin privileges from all three accounts. None have led to the creation of a chkdsk that i can check in event viewer.

Link to post
Share on other sites

  • Root Admin

You're using Windows 10 so we can use a Recovery Mode to execute the command.

Please follow the advice from this article on how to get to the Command Prompt we want you at.

https://www.bleepingcomputer.com/tutorials/how-to-start-windows-10-in-safe-mode-with-command-prompt/

Once in that command prompt you should now be able to execute that command without any disk lock issue.

CHKDSK   C:   /R

 

NOTE: It actually may not be C: what you can do from the command prompt is type in NOTEPAD and then do a File Save-As and it will show the drive letters. It may be the D: or E: drive now.

 

Please try that

Ron

 

Edited by AdvancedSetup
Link to post
Share on other sites

I already tried using that, and when i restart it does say 'press any key within 8 seconds to abort disk check' but hardly 3 seconds pass before the normal sign in screen appears. So no the safe mode command prompt did not yield a different result unfortunately. And i am using a c: drive so that potential mistake is not the issue at hand.

Link to post
Share on other sites

  • Root Admin

I'm sorry, but there has to be something wrong there. If you're in the Recovery Environment it will not restart. If you leave it there for a week and come back it will still be there on the command prompt screen.

Please review and try again as I just don't see how it can restart the computer. There is nothing telling it to restart the computer. Did you run NOTEPAD to find the drive letter?

 

Link to post
Share on other sites

The command prompt itself asks me to restart the machine in order to start chkdsk. Specifically it states that 'chkdsk cannot run because the volume is in use by another process. would you like to schedule this volume to be checked the next time the system restarts?' This question has appeared every time I have tried to use chkdsk in the command prompt. Does my issue make sense now? The fact that the command prompt states a restart will begin chkdsk, but upon startup the disk check never happens for me. Even in safe mode with command prompt, even from different admin accounts.

 

And yes I checked with notepad and have confirmed my drive uses the c: as oppose to the d: or e:

Edited by Jwinebago382
Link to post
Share on other sites

  • Root Admin

Please follow the directions below to get into Windows 10 Safe Mode at a Command Prompt

If needed, here is another link with 7 ways to boot into Safe Mode in Windows 10

Please print out these instructions, or view them from another computer.

On the affected computer please log off by right click over the Start button and select Log Off.

Then, at the Login screen press and hold the shift key on the keyboard and click the power button on screen and select Restart. Do not let go of the Shift key until it reboots

01_sign_on_screen.jpg

After the Restart it will come up with a screen as shown below. Click on the Troubleshoot button.

02_click_troubleshoot.jpg

Then you'll have another menu like below. Click on the Advance options button.

03_click_advanced_option.jpg

Now click on the Command Prompt button

04_click_command_prompt.jpg

 

You should probably see a screen similar to below, getting the command prompt ready.

05_preparing_command_prompt.jpg

Select your Account

06_choose_an_admin_level_account.jpg

Type in your Password

07_type_in_your_password.jpg

Now, type in NOTEPAD and press the Enter key

08_type_in_notepad.jpg

Click File - Open inside of Notepad to see what drive Windows is on.

09_click_file_open.jpg

10_click_this_pc.jpg

11_select_biggest_disk.jpg

12_verify_windows_disk.jpg

Now type in CHKDSK  C: /R  {make sure you use your disk letter, which may be D: or E: etc.}

13_issue_disk_check_command.jpg

The disk check should run and look similar to below. From this Safe Mode the drive cannot be locked and should not ask for any reboot. It should just run like shown below.

14_disk_check_in_progress.jpg

Please try that and if you have issue, take some pictures with your phone and post them back so we can see what's going on.

Thank you

Ron

 

 

Edited by AdvancedSetup
Link to post
Share on other sites

  • Root Admin

Bottom line is IF the disk check cannot complete then it is almost certainly due to some problem with the disk which means continuing to try to save data to the drive is very risky as it may stop working completely at some point.

No harm in trying those ideas on the link you provided. Try the Disk Cleanup - then run the disk check again from Safe Mode and let it run overnight. Let it run for 24 hours if you have to.

Ron

 

Link to post
Share on other sites

The disk check has completed, though a status 50 states my log couldnt transfer to eventvwr which is a shame. Didnt know if youd want to look at those. My built-in admin profile still cant download things like FRST, though my other admin and public profile can. So it hasnt changed, but the command prompt did state repairs to the system were completed.

 

Link to post
Share on other sites

  • Root Admin

The error 50 is normal as it has no access to the Event Log System and can be ignored. No, I was not expecting it to fix your profile, but having a bad disk structure could potentially be the reason or part of the reason for the corrupt profile.

I'd just switch over to the new profile and use that. Make sure you keep your data backed up

Backup Software

Aside from that how are things working now?

Thanks again

Ron

 

Link to post
Share on other sites

  • Root Admin

No, not normal.

Let's try another browser reset.  Getting late for me so I'm heading out soon. Will check back with you sometime later this weekend.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

  • Root Admin

We should probably have you run a couple other scans too

Please run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02

 

 

adwcleaner_new.png Fix with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.