Does not detect anymore previous potential harmful files

[Davidoo]

Hello,

I am new to this forum and I need some advice, please, regarding the scanning of some of my games.

I did earlier today a scan of some folders with potentially harmful files (steam_api.dll, crakgen,...); at the time it did detect them but I did not put them in quarantine so they're should still be out there but after reinstalling Malwarebytes and scanning again the same folders, it did not detect any of them!? Sould I be worry about it and where are they now? Of course, I ran a full scan of my laptop and the scan came back clean. Furthermore all of my games are installed on an external hardrive of 4TB; nothing is installed on my C drive except the saved games located in my documents.

I appriciate your  help 

 

Davi

 

[Maurice Naggar]

Hi,    Davi      
My name is Maurice. I will be helping and guiding you, going forward on this case.
One very storing caution:   "crakgen" not only are deemed illegal  ( since they break copyrights) BUT are exteremely dangerous since they are very often bundled with ransomware that will cause serious damage to your machine.   Stay away from any sort of "crack" tool   .....of any sort, from anywhere.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

I would like for you to start with one tool to check the current system.

[    1     ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[   2    ]

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.
 

[Davidoo]

Hello Maurice,

First of thank you very much for your time and efforts in helping me resolve my issue.

Here are the 2 file you have demanded. Just note that during both scans my external hardrives was not attached to my laptop; if you wish me to re-scan everything with my external hardrives, let me know please. Iit might take close to a full day of scanning as I have 2 external hardrives full of games) but when I did a full scan, last week, with malwarebytes of my two external hardrives, it took approximately about 18 hours and it detected 63 threats out of almost 400 games. Most of the threats found were steam_api.dll and a few crackgen. 

Guilty of downloading cracked games and will delete any harmful ones but I do know that some can be detected as false/positive (ex:steam_api.dll) by many AV softwares. 

By the way,  I am available as here, in France, due to the virus we are forced to be contained at home so I am available night and day.

Kind regards,

David

mbst-grab-results.zip msert.log

[Maurice Naggar]

Hello David.   Thanks for the reports.

the Safety scanner report result is good.   The last scan with Malwarebytes for Windows on the 20th reported no malware / no P U P.

Let's do this special scan for adwares next.

 

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner  

https://downloads.malwarebytes.com/file/adwcleaner

 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.
 

[Davidoo]

Ok Maurice, I've done the scan but it did not prompt me with "section pre-nstalled application" so I did not have to skip that part. On the other hand, after the scan, it asked me if I wanted to "repair" which I declined so I skipped that part; was I right or would you like me to start over? The scan took less than a minute.

To be honest the other reason why I asked for help regarding malwarebytes is because I did notice that everytime I open task manager, the CPU is high for a couple of seconds (60-70% usage) then drop down to normal (1-3%); on the other end the disk usage remains at 0 and the memory remains also stable at 23%. this worried me so that is why I downloaded malwarebytes at first to detect any anomaly that could increase my CPU. Obvioulsly, now, my main issue is where are all the "bad guys" that malwarebytes detected earlier and are not detected anymore, heehee...

Anyway, here are the files requested.

Once again, thank you Maurice.

David

 

AdwCleaner[S00].txt

[Davidoo]

Oopss...sorry, here it is in the format you've asked.

Clean.txt

[Maurice Naggar]

It is ok,  you did not need to a "repair" option in Adwcleaner.   Put wholly aside the Task Manager behavior.

The report of the scan by Adwcleanr is all perfect.   NO P U P   /  no adwares.

People do not understand the behaviors of Task Manager on systems these days.

You must disregard any percantages displayed on that initial screen  ....until it ( Task Manager ) and the Windows measurements have settled down for about a minute.

So, the behavior needs to not be used for a reason to go about "suspicions".

We here, use known security check tools to look for actual malware & when found, remove them.

I can point you to countless other threads that started out all about the behavior & reporting of %  in Task Manager.

But I will not do that here.

.

We should stick with what is currently going on now on this machine.

I had you run the Microsoft Safety scanner before.   That scan result was just fine.

 

[    1   ]

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.
Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[    2    ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

[Davidoo]

Indeed, you are right Maurice, I should have not brought the task manager suspicious behavior here so from now on Ill stick with you to the malware hunt only, heehee...

The first scan was done as explained on the link you sent me but the second part "History", I could not find any?!... It did not show any history even after having done the scan.

Regarding, the scan with ESET, went fine but was quite quick and did not detect anything.

Thanks for the help,

 

ESESCAN.txt scanreport.txt

[Maurice Naggar]

Hi.  Thanks for the reports.

ESET scan stats.     Perhaps  ( maybe) you did not select " FULL "  scan.

Files scanned: 315911
Detected files: 0
Cleaned files: 0

 

The scan with Malwarebytes for Windows is all good.   It looks to me like your system is all good to go.

Let me know if you need other help.

 

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/
  
You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. 
Scroll down to the tips section "How do I disable them". 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome. 
To get & install the Malwarebytes Browser Guard extension for Chrome, 
  
Open this link in your Chrome   browser: 
https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee
  
Then proceed with the setup. 

Also suggested for Chrome or Brave browser, the NoScript add-on extension for added protection from script exploits  
https://chrome.google.com/webstore/detail/noscript/doojmbjmlfjjnbmnoijecmcbfeoakpjm
  
.
If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension. 
Open this link in your Firefox browser:    
https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/
Then proceed with the setup. 
That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.
.
The Premium Malwarebytes for Windows offers multiple real-time protections, including anti-ransomware, anti-exploit, anti-malware, + web protection.

There is currently a special sale at Malwarebytes thru April 30

https://www.bleepingcomputer.com/offer/deals/get-25-percent-off-malwarebytes-premium-and-malwarebytes-for-teams-until-april-30th/

The Premium license can be purchased for as many seats ( devices) that you and your folks have that are Windows, Android, Chromebook, Mac OS X

[Davidoo]

Thanks Maurice. Keep safe!

[Maurice Naggar]

You are welcome.  Glad to have helped.

What follows is a few cleanups for the tools I had you use.

Delete the MSERT.exe

Delete   mbst-grab-results.zip  on the Desktop

Delete  mb-support-1.6.0.774.exe   on the Downloads folder

 

To remove the FRSTENGLISH tool & its work files, do this.  Go to your Downloads folder  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe  

Then run that ( double click on it)  to begin the cleanup process.

Delete the ESET  download  file   esetonlinescanner_enu.exe

Adwcleaner you can keep & use on-demand to scan for adwares.

.

I am happy to have worked with you.   I am marking the case for closure.

 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.   All the best to you.

Sincerely,

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you