WERFAULT.EXE - MALWARE??

nitebeat · September 2, 2018

Hi all! When I boot up, I get a popup (see attached) - not sure if it's the real deal and just not signed digitally or if it's malware. I've disabled the werfault.exe process via windows "services" but when I re-boot it still pops up. Any suggestions / help will be appreciated! I'm running Windows 7 Ultimate SP1 - 64 bit on an Asus G51JX laptop, all Windows updates are complete, MBAM, AVAST, etc. up to date. Thank you!

kevinf80 · September 3, 2018

Hello nitebeat and welcome to Malwarebytes,

werfault.exe is used for Windows Error Reporting. It is a service that lets Microsoft monitor and address errors relating to the operating system, Windows features, and applications. As this has been disabled Via services yet still shows on boot we need to have a look at your OS....

Lets run a diagnostic scan to have a look at your system, make sure its clean before progressing any further.

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...

Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
Make sure Addition.txt is checkmarked under "Optional scans"
Press Scan button to run the tool....
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Let me see those logs in your reply...

Thank you,

Kevin....

nitebeat · September 3, 2018

Hi Kevin! Thanks for coming on board to help me out - much appreciated. Attached are the two (2) files you've requested, as a result of running the FRST64.exe program. Let me know what you think!

Addition.txt

FRST.txt

Edited September 3, 2018 by nitebeat

kevinf80 · September 3, 2018

Run the following fix with FRST, your system should reboot, if not reboot yourself. Does the issue still show...?

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Thanks,

Kevin...

fixlist.txt

nitebeat · September 4, 2018

Hello again! So, I did as you instructed, the system rebooted on its own and now I receive two (2) popups (copies attached)! I've also attached the fixlog.txt for your review. Other ideas? This does seem to be quite STUBBORN to get rid of! By the way, I clicked "cancel" for both.

Edited September 4, 2018 by nitebeat
Update.

kevinf80 · September 4, 2018

The frst.txt log is not attached. The two prompts you received are genuine, to stop those from showing again remove the checkmarks from "Always ask before opening this file" Then select "Run" Those two popups should not show again...

In future if you receive similar popups have the file scanned at VirusTotal https://www.virustotal.com/en/ If the file proves legitimate do the same again to the popup, remove the previously quoted checkmark before using the run function..... If the files proves to be Malicious you need to take action....

Regards,

Kevin...

nitebeat · September 4, 2018

Hello! I did attach the fixlog.txt - don't know where it went (I don't have a 'FRST.txt' log). I'm attaching the fixlog.txt again! Previously, I did "uncheck" the "always ask" box and select run . . . . popup still returns. I've tried both combinations - checked, unchecked, run & cancel - no matter, the popup returns upon reboot. I'll check the files via virus total as soon as I get a chance. You state that if the files prove to be 'malicious' that action needs to be taken - would that be with your help or I need to go elsewhere? If elsewhere, where would that be? I'm currently running Super AntiSpyware as well as Avast Free Antivirus and neither of these applications (along with MBAM) pick up anything on the computer. I've never had these popups in the past and can't understand why they've suddenly appeared and moreover, REFUSE to STOP!

Fixlog.txt

nitebeat · September 4, 2018

Update: I ran C:\Windows\System32\Werfault.exe via 'Virustotal' and the response was all GREEN - Trusted source - belongs to Microsoft Corporation software catalog. I didn't scan the FRST64.exe file since that file was given to me by you. Next steps?? Thanks again!

Edited September 4, 2018 by nitebeat

kevinf80 · September 4, 2018

Run FRST one more time:

Type the following in the edit box after "Search:".

WerFault.exe

Click Search Files button and post the log (Search.txt) it makes to your reply.

nitebeat · September 5, 2018

OK Sir, here you go . . . . . . . . .

Search.txt

kevinf80 · September 5, 2018

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Windows should reboot when the fix completes, does the issue clear...?

fixlist.txt

nitebeat · September 5, 2018

OK back atcha! The latest fixlog.txt file is attached as requested. And YES, upon re-boot, the 'ole "WerFault.exe" popup once again presented itself. I unchecked the "always ask" button as well as "cancel" and let the machine continue to boot to operational status. Question: If the issue here is that this item is being picked up as "unknown publisher, not digitally signed," etc and it is apparently a "legitimate" program, why isn't it possible to correct the file (via MicroSoft?) to get the file that IS digitally signed, publisher known, etc? I'm not THAT PC savvy but instead of trying to 'eliminate' the popup, wouldn't it be possible to get a corrected file to replace the one being picked up with the errors? Just throwing it out for your reply! Thanks again!

Fixlog.txt

kevinf80 · September 5, 2018

Yes we just removed the unsigned version of WerFault.exe also replaced the version in system32 folder, unfortunately it has still showed its face at boot..

Click on Start > All Programs > Accessories:

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

CHKDSK ? /R

hit the Enter key.

You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK may take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run use the following instructions to find the log:

Check Disk report:

Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK.
In the left panel, expand Windows Logs and then click on Application.
Now, on the right side, click on Filter Current Log.
Under Event Sources, check only Wininit and click OK.
You mayl be presented with one or multiple Wininit logs.
Click on an entry corresponding to the date and time of the disk check.
On the top main menu, click Action > Copy > Copy Details as Text.
Paste the contents into your next reply.

Next,

Now run SFC.

SFC -System File Checker - Instructions

Click on Start > All Programs > Accessories

Right-click on the Command Prompt entry

Select "Run as Administrator" accept the UAC prompt - the Elevated Command Prompt window should pop up.

At the Command prompt, type

SFC /SCANNOW

hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.

Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply.

nitebeat · September 5, 2018

OK this is gonna take a while and I'm juggling a few THOUSAND other things . . . . I'll reply as soon as possible. Thank you!

kevinf80 · September 5, 2018

Thanks for the update, post back when you`re ready...

nitebeat · September 5, 2018

OK back at it, here's the Check Disk Report (interestingly, when the chkdsk /r ended, the computer re-booted on its own - not sure if that is normal but it did)!

Log Name:      Application
Source:        Microsoft-Windows-Wininit
Date:          9/5/2018 4:41:18 PM
Event ID:      1001
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      Allan-Prescott
Description:

Checking file system on ?
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

CHKDSK is verifying files (stage 1 of 5)...
334592 file records processed.

File verification completed.
2353 large file records processed.

0 bad file records processed.

2 EA records processed.

63 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 5)...
450436 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered.

CHKDSK is verifying security descriptors (stage 3 of 5)...
334592 file SDs/SIDs processed.

Cleaning up 335 unused index entries from index $SII of file 0x9.
Cleaning up 335 unused index entries from index $SDH of file 0x9.
Cleaning up 335 unused security descriptors.
Security descriptor verification completed.
57923 data files processed.

CHKDSK is verifying Usn Journal...
34921608 USN bytes processed.

Usn Journal verification completed.
CHKDSK is verifying file data (stage 4 of 5)...
334576 files processed.

File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
62289840 free clusters processed.

Free space verification is complete.
Windows has checked the file system and found no problems.

488282111 KB total disk space.
238510308 KB in 254743 files.
    159832 KB in 57924 indexes.
         0 KB in bad sectors.
    452611 KB in use by the system.
     65536 KB occupied by the log file.
249159360 KB available on disk.

4096 bytes in each allocation unit.
122070527 total allocation units on disk.
62289840 allocation units available on disk.

Internal Info:
00 1b 05 00 65 c5 04 00 be b4 08 00 00 00 00 00 ....e...........
9e 0a 00 00 3f 00 00 00 00 00 00 00 00 00 00 00 ....?...........
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2018-09-05T20:41:18.000000000Z" />
    <EventRecordID>1033384</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>Allan-Prescott</Computer>
    <Security />
</System>
<EventData>
    <Data>