Jump to content

Can't open MB, Windows Settings, Regedit...


Recommended Posts

Hello to all.

I am certain that I have become infected by some malware. I thought it was a windows issue at first because I cannot open Windows Settings app (running Windows 10 Home). I am also unable to open regedit and system restore, as they close automatically after less than a second. So I downloaded Malwarebytes to run a scan only to find out that it wouldn't open either. Installed Chameleon and successfully ran a scan, but it couldn't find anything. 

I have tried Zemana Antimalware and SuperAntiSpyware to see if anything turns up, but I haven't had any luck. This must be caused by some malware right? 

Could somebody please help me? I'm desperate.

Thank you

Link to post
Share on other sites

Hi,    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

"Chameleon" is an old tool, now basically obsolete.   Please do not use that.

.

This here is a special tool.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

 

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
[    2    ]

Lets then run this report.   It will not take a lot of time.

RSIT (Random's System Information Tool) 
Please download RSITx64 by random/random... save it to your desktop.
1.    Right click on RSIT.exe and select "Run As Administrator" to run it. If Windows UAC prompts you, please allow it.
2.    Please read the disclaimer... click on Continue.
3.    RSIT will start running. When done... 2 logs files...will be produced. 
The first one, "log.txt", <<will be maximized... the second one, "info.txt", <<will be minimized.
4.    Please post both... "log.txt" and "info.txt", file contents in your next reply. 
.
Please do not do any more self-medication on this pc.   If you have questions or run into a glitch, Stop and ask me here first.

Link to post
Share on other sites

Hi Carlos.   Thanks for the reports.  I am very happy to see that MBAR anti-rootkit reports no malicious ietms.

We need to do things a little at a time.   I need for you to keep going down this list, doing what you can.  Just keep going on down the list.

If you run into a severe hitch, write it down for later, and do the next listed procedure here.

[  A  ]

Chameleon cause a old version of Malwarebytes to be installed.   We need to uninstall Malwarebytes Anti-Malware versión 2.2.1.1043

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run command.

2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.

 

3. Locate  Malwarebytes Anti-Malware versión 2.2.1.1043  . and click once to select it, then click the Uninstall button.

[   B   ]

Please try uninstalling and reinstalling Malwarebytes for Windows using the Malwarebytes Support tool. 

Uninstall and reinstall using the Malwarebytes Support Tool
https://support.malwarebytes.com/docs/DOC-2674

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.

After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

Let me know if this run clears up the issue or not.Please try uninstalling and reinstalling Malwarebytes for Windows using the Malwarebytes Support tool. 

Uninstall and reinstall using the Malwarebytes Support Tool
https://support.malwarebytes.com/docs/DOC-2674

Please have lots of patience with the tool.  The first phase is a cleanup and does require a Windows Restart.
After the Restart, it may take 2 - 3 - 4 minutes till the Support tool screen shows up.   Please be patient and have faith.  Wait for it, whatever it takes.
The 2nd phase is where it offers to do a new Install.

Let me know how this goes.

 

Link to post
Share on other sites

I'm sorry for double posting (I know I shouldn't). But I just opened task manager and found three suspicious processes running. They're called jyuvru32.exe (two instances) and myaemimr32.exe. And on the "Start" tab there is a "Microsoft Windows Based Script Host" which I had NEVER seen before there. Is that the infection???

Screenshot_1.jpg

Screenshot_2.jpg

Link to post
Share on other sites

You can use Task Manager.   One at a time, highlight with your right mouse pointer and select End Task  ( that is RIGHT-click with mouse & Ebd Task )

on jyuvru32.exe

myaemimr32.exe

 

Then,

I would like to have you run a report tool known as FRST. This has no personal information. It is a well-known & widely used &safe.
FRST will help provide me with a list of installed programs and other information about your computer that will help me see if there are any other problems that are not being detected. Please follow the steps below to run FRST.


1: Please download FRST from the link below and save it to your desktop:
 

"Download link for 64-Bit Version Windows"



Please wait and look toward the top or bottom of your browser for the option to Run or Save.
Click Save to save the file 


Run report with FRST64

NOTE:  If you run into the situation where frst64 is blocked  ( unable to be run)  then RENAME the FRST64.exe to GAZORK.exe   & then run that.



Right-click on FRST84 icon and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 

_Windows 8 or 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.




The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

.

Edited by Maurice Naggar
added note
Link to post
Share on other sites

I was unable to finish the suspicious processes. One of them in fact shut my PC off and I had to turn it on again, only to find out that the processes have changed. One of them is now kcphwgvlh.exe. I found out that both files are stored in a hidden folder inside my AppData > Roaming. I have not touched them so as to not get in more trouble.

As you warned, I could not open FRST84.exe until I renamed it to GAZORK.exe.

I cannot see the screen that you attached, so I hope the default settings are OK.

Screenshot_3.jpg

FRST.txt Addition.txt

Link to post
Share on other sites

Thanks for the FRST reports.  That truly helps to see where those pests are & where they are.

By the way, this pc has Emsisoft Anti-Malware.   How long has it been installed ?   Have you done any scans with it ?   Curious to know.

The custom procedure below is intended to quash the pests here.

and by the way, jhi_service is a Intel program.   We leave that alone.

 

You have used FRST64  ( Gazork)   which comes out with Spanish notations.  

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

[    2   ]

Please Close and Save any open work you may have open.

Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

We are going to run a custom script for this particular pc.   Please have lots of patience while all this runs.

 

This custom script is for   Carlosc23   only / for this machine only.

Close and save any open work files before starting this procedure. 

 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named  GAZORK  (FRST64.exe)   tool    should be already on the Downloads folder

Start the Windows Explorer and then, to the Downloads.


RIGHT click on  GAZORK    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

If the tool warns you the version is outdated, it will get it automatically.

 

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

FRST_Fixl.png.c4c1c0dddcc49b11fa400590f070bd5e.png

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity 

 

[  NEXT ]    IF at all possible, do a new scan with Malwarebytes for Windows.

Run a scan with Malwarebytes.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.   and let me know where things stand.

 

 

 

Fixlist.txt

Link to post
Share on other sites

Maurice, I cannot thank you enough for your help. It seems that the infection has been removed. The files are no longer there, and I can now open the Settings app, regedit and System restore (which are the main three issues I noticed in the first place). I was able to open Malwarebytes, run a scan, and it found nothing. Also, my Windows logon profile picture had disappeared but it is back now.

Is it OK for me to delete all the files that were created/downloaded during this cleaning process?

Thank you again. If there is anything else to be addressed, do let me know.

Fixlog.txt

Link to post
Share on other sites

Sorry again for double posting, but I forgot to answer your question. I did install Emsisoft's Antimalware tool but removed it the same day. How is it that it's still installed? Was it not removed properly?

Link to post
Share on other sites

Hi Carlos.

Bravo.   You did well too.   You may if you wish praise me to AdvancedSetup.

There is no need to rush to cleanup the tools used.   We will do that when we close the case.

I want to encourage you to run 2 other different scans so that we have supplementary checks.

[   1   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.


[  2   ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & un-tick   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.


[   3  ]

NOTES:  It may be that Windows Security Center may be showing that Emsisoft Anti-Malware  is the antivirus.

Though the list of installed programs does not show Emsisoft.

You may want to drill thru the Windows Settings  and drill down to Update and Security >>> Windows Security

 

Link to post
Share on other sites

Hello again Maurice.

Here is the log file from MSERT. For some reason, I could not find a button to save the log in ESET's program, but it did tell me about three infected items which it deleted, all related to an "Output Portal.msi". I know for a fact it was a false positive but I allowed it to remove the files since I don't really think I'll ever install it.

 

msert.log

Link to post
Share on other sites

Thanks.   The MS Safety Scanner classified a handful of .MSI  ( installer files) as trojans.

I would like for you to insure that you can use the Windows Defender antivirus.   and also that Windows Defender is ON.

Go to Windows Settings icon and click it.   Then to Update and Security.   Then select Windows Security.  Then click Open Windows Security.

Please see about running a Full scan with Windows Defender.

 

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.