Found a bunch of malware and trojan, and some software not working

[Fabb]

Hi, I had overheating problems in my windows 10 laptop for about a week.
I updated my bios and upon restarting, a window popped-up, with a certain WINRMSRV asking for permission through my firewall. 
I got suspicious and i run a malware scan with malwarebytes, who found 31 menaces and currently 27 are quarantined.

Windows firewall and windows security are not working right now (I didn't realize they had been disabled, I see a blank page when opening windows security) , as well as AdobeReader, which I now uninstalled.

I would like to know if I can delete these files from quarantine and how can I restore the applications that are not working right now:
what happens if I delete the quarantined menaces, given some of them are under system32 folder?

I can upload the findings log if is needed

Thank you to whomever helps.

 

[Maurice Naggar]

Hi,     
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

.

There is no need to rush to permanently delete stuff that is in Quarantine.   Leave those be for the duration of this case.

.

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.

Thank you,
Sincerely.

[Fabb]

Thank you for your answer, please address me by my username. 
I will follow the steps you illustrated and keep you updated.

Thank you,
 

[Maurice Naggar]

Hello, Fabb.   I look forward to getting your report.

[Fabb]

Hello Maurice, I performed the  mbst log gathering, it was fairly quick. Maybe because I performed it with WiFi turned off?
Anyway, how can I be sure that information I upload here is safe for me? Is there a way we can communicate privately, maybe using Malwarebyte's client?
I don't mean to be rude and I appreciate your help, I am just concerned for my privacy.

Thank you

[Maurice Naggar]

You could just attach the ZIP file into a personal message to me.

But the working of the actual case,  we will do here on this thread.

[Fabb]

Okay, thank you for your ansmbst-grab-results.zipwer Maurice and for your help. I will attach the log here:

[Maurice Naggar]

While I review your file  & before I send a reply,  Please also do the following report.

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then
Click on the MORE INFO spot and over-ride that and allow it to proceed.
This tool is safe.   Smartscreen is overly sensitive.

 

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

[Maurice Naggar]

Thank you for the support tool reports.   You made mention of winrmsrv  at the top.

On the 6th of May, Malwarebytes  ( amongst other things) found & removed 2 coin-mining trojans

2020-05-06T15:19:08Z | C:\Windows\System32\winrmsrv.exe [file | Trojan.BitCoinMiner]
2020-05-06T15:19:11Z | C:\Windows\System32\winlogui.exe [file | Trojan.BitCoinMiner]

.

You can do a thorough scan like this to do a new check with Malwarebytes for Windows.

Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

 

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color
 

 

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Edited May 11, 2020 by AdvancedSetup
corrected font issue

[Fabb]

Hello Maurice, thank you for reviewing my report.

1) I performed a scan with SecurityCheck, I will attach the report

2) I reviewed Malwarebyte's settings as you instructed and performed a scan. No menace was found. I will attach today's report as well as the report of the scan I performed on may 6th. In that occasion, I remember that Malwarebytes found 31 menaces, but now only 27 are in quarantine. I do not remember allowing nor deleting 4 of the findings, so I cannot explain this difference. 

Thank you,
Fabb

Malwarebytes12may.txt Malwarebytes6may.txt SecurityCheck.txt

[Maurice Naggar]

Hello.

The Malwarebytes scan of 12/05/20   is perfect.   No malware / no anything.

The scan done on the 6th dealt with all of those that it flagged on that run.   That mission of removing threats was completed.

Do not try to count up items  ( numbers).   One 'threat'  can be listed on more than one line.

The number 31 is not the actual amount of individual   ( unique ) elements.   What was tagged is less than that number.

But all items tagged before were dealt with and removed.

.

Leave the items in the Malwarebytes Quarantine where they are.   There is not any need to delete those permanently.   That you can do, say 10 days from now, after you know the system is running normal.

.

The SecurityCheck report indicates that the Windows Firewall is on.

Windows Defender Firewall (mpssvc) - The service is running

.

It seems that this pc has 2 different VPN programs installed.   wonder why?

OpenVPN  & ProtonVPN

It seems to me that one would use just only one.

The report makes this note about ProtonVPN

ProtonVPN v.1.10.1 Warning! Download Update

.

The Mozilla Firefox version is out of date.   You need to do a Update run in Firefox.

Mozilla Firefox 72.0.1 (x64 it) v.72.0.1 Warning! Download Update

.

 

I suggest the following adjustment on Malwarebytes for Windows.   That adjustment will insure that the Microsoft Windows Defender antivirus stays enabled.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
Click the Security Tab. Scroll down to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
.

[   2    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[Fabb]

Thank you for your support.

The only application currently giving me issues is windows security, that presents me with a blank page whenever I open it.

I downloaded MSERT.exe and launched a thorough scan, 12 minutes ago now, but the percentage is still very low and my laptop started overheating and lagging. Is this normal? Should I stop it? How?

[Maurice Naggar]

Machine over-heating is absolutely not normal.   Shutdown Windows and power off your machine.   Make sure it gets back to normal room temperature range.

Make sure there is sufficient air flow all around the machine.

Look for dust or gunk around exterior of machine, especially by the exhaust vents.

.

We here can only check your machine for malware, and if found, to help you remove it.

Some of the other issues you mention  ( especially over-heating )  are not malware.

As hardware gets older, it may develop hardware issues.

[Fabb]

Yes of course, I understand. 
I managed to open task manager and saw the process "system interrupts" running at 100 % CPU. Then I saw the process related to MSERT.exe rushing to the top of the list and terminated it, so the situation returned under control. I am not going to launch it again.
I am writing it here because I thought the overheating was maybe related to the scan performed by MSERT.

Anyway, thank you for the help you kindly provided so far. 
I have a few questions left: do you have any suggestion to explain the strange behaviour of windows defender?  
How dangerous is it to delete the quarantined files? What could happen exactly?
What would happen to the quarantined files if I left them there while updating my OS?

Thank you again for your time
 

[Maurice Naggar]

We can skip the Safety Scanner tool.

Files in quarantine you can delere if you wish.   Your decision.

Files in quarantine are in permanet lockup / cannot pose any harm of any sort.

We typically recommend waiting some period of time, just in case there may be a false possible.

.

On the issue of Task Manager,  I tend to not rely on it to judge use percentages.   But here you say that MSERT seemed to stall out or maybe freeze.

.

I do not know / cannot tell about Windows Defender.   I DID suggest that you be sure to do this.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 
Click the Security Tab. Scroll down to 
"Windows Security Center"
Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
Then close Malwarebytes.

Then let us have you RESTART Windows.

 

Look on the Windows search box on the Windows taskbar.  Type in

virus & threat protection

You should see a list display.  There is a link for " Virus & Threat protection".  Click on that.

Take a look there..

 

[Fabb]

Sorry, I forgot to mention it, but I completed the procedure you suggested and had no result.

I can click on the link you mentioned to change settings of virus & threat protection, but then all settings are blocked and I cannot access them.

Anyway, I understand that this may be a non-malware related issue and you cannot help me further. 

I wish to thank you again for answering my questions and guiding me through this series of check-ups, I am much more relieved now.

with gratitude,
Fabb

[Maurice Naggar]

That is fine.  You are very welcome.

But before I let you go, let us do this report-run.   I want you to go slow here.

You have the FRST tool.  It is called FRSTENGLISH on the Downloads folder.

Go to the Downloads folder   ( using Windows File Explorer )

 

Double click on FRSTENGLISH to start the tool.
Click YES when prompted by Windows U A C prompt to allow it to run.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

 

 

 

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.   Much patience is a good thing.

 

 

The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Edited May 13, 2020 by Maurice Naggar

[Fabb]

I do not have FRSTENGLISH in my download folder.
I tried downloading it from bleepingcomputer.com, but my browser advised me against it. 
What is a reliable source to download it?

 

[Maurice Naggar]

Sorry about that.   This is the link to get the 64-bit version

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/

 

What you can & what you should do  ..... RIGHT-click with the mouse on the link  above & choose "SAVE As....."    go slow

guide the download -dialog-box to get it to the folder Downloads   and in the white box for filename   erase the FRST64  & type in for the name of file

gazork.exe

and go ahead and SAVE the download to the Downloads folder.

Then you just run GAZORK      ( the renamed name for the FRST64  )

[Fabb]

Hello Maurice, sorry for the delay. 
I run the scan you asked me, and again the reports seem to contain many personal information that I would prefer not to share.

Anyway I would really like you to help me, today windows explorer crashed, and adobe reader stopped working again.
Can you please tell me which part of the report you need so that I can provide it? I have seen that it is divided in section so this may be convenient.

Thank you

[Maurice Naggar]

You can start a personal message to me

and then attach all the reports.   I need them all, AS is.

Thank you.

[Maurice Naggar]

Hello  Fabb.

It has been many days since I last heard back from you.   I hope you are doing well.

Are you still with us here on this case ?   How is it going?

[Fabb]

Hello Maurice, thank you for reaching out again. 
I was away for the past few days. 
I have the FRST.txt and addition.txt from the scan I performed one week ago (on may 15th): is it still relevant or should I perform a new scan?
The laptop is still giving me some issues, like spotify client not working, windows explorer crashing again yesterday, and some other minor issues.

[Maurice Naggar]

Hello.   Go ahead and attach the FRST.txt  +  the Addition.txt

The spotify issue we should put to the side.   The Windows Explorer "crash" is a more pressing concern.

So I will also need another report as well.

Please download MiniToolBox save it to your desktop and run it.

Dont click on any ads on the screen itself at Bleepingcomputer.   The download will start automatically.

Reply YES when prompted by Windows to Allow the program to run.

Reply YES when prompted by the tool to proceed.

 

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result ( MTB.txt ). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

Thank you.

 

[Fabb]

I performed the scan with MTB.
Here are all the reports:
Addition.txtMTB.txtFRST.txt