Looking to see if my machine is infected.

[User_Hostile]

About the end of February I started to notice that my machine started acting funny, so I assumed that it was some kind of malware.  So I restored an image my machine from early January and the same behavior occurred.  Then I ran a restoration of my machine from early December.  Same bug appeared.  

The behavior only occurs after I've put my machine into sleep mode for a total of two times.  What happens then is I note the disk light starts flashing more and more.  The response of the machine becomes increasingly slower and slower until the cursor no longer moves and the disk light stays on steady.  At that point, the machine locks up.  Rebooting the machine results in a very slow bootup and a much quicker lockup.  I've restored the disk image five times, so i've dialed in the symptoms.  

So, presuming this is malware what steps to i need to remove it?  I've backed up my important files, so if it requires a disk wipe, I''m fine with that.   But I'd rather identify the bug and remove it and rebuild it from there. 

[AdvancedSetup]

Hello @User_Hostile

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

[User_Hostile]

Per your request.

Malware Check (2020.04.06).txt FRST.txt Addition.txt AdwCleaner[C00] (2020.04.06).txt

[AdvancedSetup]

You have a bit too much security software installed which can cause an increased possibility of a conflict.

Microsoft Security Essentials (Enabled - Up to date) {71A27EC9-3DA6-45FC-60A7-004F623C6189}
Microsoft Security Essentials (Enabled - Up to date) {CAC39F2D-1B9C-4A72-5A17-3B3D19BB2B34}
Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

ESET Security (Enabled - Up to date) {885D845F-AF19-0124-FECE-FFF49D00F440}
ESET Security (Enabled - Up to date) {333C65BB-8923-0EAA-C47E-C486E687BEFD}
ESET Firewall (Enabled) {B066057A-E576-007C-D591-56C163D3B33B}

Spybot - Search and Destroy (Enabled - Out of date) {4C1D9672-63FE-5C90-371E-8FDA591C5B75}

SUPERAntiSpyware

 

You also have BitTorrent on the computer which adds an elevated chance of infecting the computer as well. Malware is sometimes crafted as the program you're trying to get but will come bundled with the malware too. Also, though rarely does anyone get caught it's still illegal to share programs, music,, most movies, etc. with possibility of fines or jail time. Something to consider.

You have an old potentially compromised version of Java. Please uninstall it:  Java 8 Update 231  if at all possible please try to use your computer without Java but if you really have to use it then always keep it up to date.

Your version of Firefox is way out of date. Mozilla Firefox 68.0.2   The current version is: Version 75.0, first offered to Release channel users on April 7, 2020   https://www.mozilla.org/en-US/firefox/75.0/releasenotes/

 

The following script should remove any unwanted threats or possible malware but I will say there is so much software installed and running on this system it's a wonder it even runs. Though out of scope for malware removal I'd suggest working on doing some general cleaning of the computer and removing items from startup that don't need to start or programs you no longer use, etc.

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

[User_Hostile]

How long should FRST64.exe run for?  (I'm hitting five hours).  Is this dependent on the overall number of files?

[AdvancedSetup]

I don't see anything in the fix that should take all that long.

It was asked to run an SFC check. That normally takes 10 to 20 minutes.
Then a DISM check to repair corrupted store file if found that too takes about 10 to 20 minutes depending on the speed of the computer.

Then a couple removals that are almost instant. Then delete temp files which if you had a lot of them could take up to an hour or more I suppose. Then a disk check on reboot. The disk check run for most people in under 20 minutes.

If it still running I would click on Start and type in "Check for updates" and hit the Enter key and see if Windows Updates are trying to run or install. If that is happening at the same time it would make everything come to a crawl.

If Windows Updates are not running and FRST is still running you can go ahead and reboot the computer and let me know. Quite late for me but I will check back on you in the morning. If Windows updates are running then DO NOT reboot. Rebooting in the middle of a Windows update could be disastrous.

Thank you

 

[User_Hostile]

Rebooted, probably seven hours, but Windows Task Manager indicated normal operation and running one of six core processors at almost the max.

See attached file.

Fixlog.txt

[User_Hostile]

I mean to say, I ran it for seven hours before performing the reboot while the program was running.  Referring to file creation, it took about 13 minutes between the start and finish of the Fixlog.txt file 

[AdvancedSetup]

From SFC - Windows Resource Protection found corrupt files but was unable to fix some of them.

Then DISM gave this error: 87

That indicates that a Windows Update was in progress at the time. Please reboot the computer one more time.

Then download the fix from post #4 one more time and run it again with FRST and post back the new log.

 

[User_Hostile]

FBAR continues to slog along, but the Fixlog.txt file seems to hang at eight minutes, with theseclosing texts:

"C:\ProgramData\Temp" => ":5C321E34" ADS not found.
"C:\ProgramData\Temp" => ":CB0AACC9" ADS not found.
"C:\Windows\system32\GroupPolicy\Machine" => not found
HKLM\SOFTWARE\Policies\Google => not found

Fixlog.txt

[AdvancedSetup]

Okay, I'm going to lunch. When I get back I'll give you some resources to download the Windows 10 ISO image and another fix we can run to fix your OS files.

 

[User_Hostile]

This a Windows 7 machine.  I've got an upgrade to Win 10--if necessary, I can invoke that.

[AdvancedSetup]

I'm sorry. My fault. I have several topics open I forgot this was Windows 7. DISM does not run on Windows 7

Yes, doing an upgrade to Windows 10 would be great if you can do it. Windows 7 is pretty much out of support now and Windows 10 would be a lot more secure.

 

 

[User_Hostile]

Aye, aye, will do.

[AdvancedSetup]

Let me know if you need any help or information

Thank you

 

[User_Hostile]

Updated to Win 10, but got the black screen.  After three hours, I shut it down, and powered up again.

Ran Farbar again, and still have the same problem.  Hangs on the Google policy.

See attached, it took about eight minutes.

Fixlog.txt

[User_Hostile]

Interesting occurrence, rebooted my machine.  It started a file check & recovery operation.  After a few minutes the computer locked up with the disk light remaining on.  Rebooted, and again, the machine did a file check & recovery operation.  So after the Desktop showed up, I immediately ran FRST64.exe with a scan followed by a fix.   The scan completed successfully, yet fix is still rolling along with the log terminating at Google policy.  But the machine doesn't lock up.   Some process or processes are being killed by FRST64.exe that induce the lockup from what I can tell.

See attached.

Fixlog.txt FRST.txt Addition.txt

[AdvancedSetup]

Okay, please do not run the FIX anymore.

Please use the following process to uninstall and re-install Malwarebytes. However, when it offers to reinstall go ahead and decline and download the full offline installer instead to install from.

Uninstall and reinstall using the Malwarebytes Support Tool

 

MB4 Offline Installer
https://downloads.malwarebytes.com/file/mb4_offline

Once Malwarebytes has been reinstalled and activated please restart the computer one more time and do a Threat scan with Malwarebytes and post that back.

 

[User_Hostile]

Here you go.

The two PUPs are old files.

NIR always sets off false positives, but I've used it since August.  Possible malware, but I've used NIR software for years with no discernible problems.  

The problem with the machine developed around late February 

New&ImprovedMB (2020.04.13).txt Quarentine followup (2020.04.13).txt

[AdvancedSetup]

Yes, I too would believe they're FP. I've used many of his programs for years now. There has never been any malware or threat in them. Some AV companies don't like what the tools can do but that's more so because it shows things they don't like or don't think users should see or something.

You should be able to add that to an exclusion or download the latest version and if we still detect let me know and I can submit it as an FP too.

https://www.nirsoft.net/utils/wireless_network_view.html

 

So, how are we at this point? Anything else look to be wrong or need help with anything else?

Please run FRST and get a new log, one for Additions as well. Just scans, no fix.

Thanks

 

[AdvancedSetup]

Quite late for me. I'll check back on you tomorrow

 

[User_Hostile]

Added the NIR to my exclusion list.

See the files below.  FRST quit the first time, and I had to kill the process which gave me a Sort-BSOD.  But upon the reboot, FRST ran fine.

See attached.

FRST.txt Addition.txt

[AdvancedSetup]

Just a reminder from my post #4 - I see that all of the security software I mentioned is still installed and running. I would have to believe that even if not causing a conflict it has to really be draining resources of your system. I would still recommend you probably consider reducing some of it.

Though you can use Task Manager to control startups - using a more dedicated tool such as Autoruns might be better so that if needed you could use Task Manager or MSCONFIG as a diagnostic tool. For items that you don't want running maybe consider again if you even really need the program installed. Sometimes less is more so to speak.

You're having a few issues with the computer in general but it's not related to malware. The logs do not currently show any signs of a real infection. Having a ton of software and complex setup and age of installation of Windows is probably more so the real concern you're probably having. You're doing restores when it crashes or has issues but that's not fixing the main issues I'm sure you're seeing.

Are you actively using the RAM drive in Windows ?

At this point - the logs do not show any infection. If the computer continues to be unstable you may want to consider backing up all user data and do a clean, fresh install of Windows. Otherwise, if not a route you want to take then look at reviewing Event Log errors and seeing which ones you can track down to fix.

 

 

[User_Hostile]

I'm slowly getting rid of the files (along with the older security software).  As I'm a critical worker, I don't have much time for most of the week.  But as soon as I finish removing the files, I'll run the FRST again.  I've been doing some runs with it, but it keeps hanging, when it starts searching for "other areas" so it requests whether or not to wait or kill it--which is the latter.. 

I've only had one hang up of the machine which did not require a re-image, so me thinks that deleting the old stuff is making an impact. 

I am running a RAM disk with about 4 GB.  I use it to launch and cache the web browsers sometimes.

[AdvancedSetup]

Note that in most cases our software often does not work well with RAM disks and can produce unexpected results or even crash.

Yes, the computer just seems to need some general clean up. Uninstalling unused software and stopping programs from loading on startup unless really needed would be good.

Thank you and good luck.