Jump to content

Found a bunch of malware and trojan, and some software not working


Recommended Posts

Hello.   I hope you are doing well & enjoying the weekend.

Thank you for the reports.   I have a very special custom script to re-enable Windows Defender Antivirus & some other fix tweaks.

This custom script is for  Fabb    only / for this machine only.
Close and save any open work files before starting this procedure. 

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

After this run,  and once Windows is settled in, Let me know how things are.

Sincerely,

Fixlist.txt

Link to post
Share on other sites

Hello, Thank you for producing this Fixlist.txt file for me.
I run the software and I am attaching the fixlog.txt


Fixlog.txt


I don't see any changes in how my laptop is working, including no changes in the weird behavior of windows defender, and the icon is still absent from the bottom right corner of the screen.

Link to post
Share on other sites

I somewhat think that one or two Windows services are not up to snuff.  Knowing that this pc's Windows 10 is at Build 1809   ( from the fall of 2018)  I am beginning to think that you need somehow to see about getting the very latest Windows 10 build update from Microsoft.

 

At this point though,  I would like for you to manually start & run a scan with Windows Defender antivirus.

The aim ( goal ) here is just to do a Quick Scan with Windows Defender.

 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close the program window.

.

As to Windows Defender:

You can do a manual Check for Update for Windows Defender by using the Windows Settings menu.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

image.png.53b8290f51fb52ad1f67f2be5d1a7198.png

 

Next, In Windows Security section:  Click on the grey button Open Windows Security

 

image.thumb.png.770ff10e37da546f33963da571bd3378.png

.

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

 

 

image.thumb.png.d3c40d161bda6630f463e83ce53f9782.png

 On the next display,  look at all the options.   Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.  ( You can do Quick, Full, or Custom).

 

image.thumb.png.1bfbd5b3023eeabe0dbea2025a5fa556.png

Link to post
Share on other sites

Here's the Malwarebytes setting you mentioned, as you see it is set to the left:

image.png.3ae36b8fcb64337bc7bc1dec622931da.png

This is the issue that I have been mentioning, what I see if I open "security at a glance": absolutely nothing


image.png.adeca344733f166fa8768e1413e32497.png

 

The only thing I can click successfully is the gear Icon to the bottom left, and if navigate to the "antivirus provider" tab, this is what I see, an I can take no actions


image.png.26bfb7665a5dff815022c28cb14ab27b.png

 

My idea was to update windows to 1909 as you suggested as well. For this, I was thinking to empty the quarantine folder of malwarebytes, because I don't know what would happen to those files if I update windows. But I was concerned that deleting those files was not a good idea, so that's how I came on this forum originally. 

As you already told me, I may delete those files and it should pose no harm to the laptop now, so I would proceed doing so and then updating my operating system. Unless you have a different suggestion.

 

 

Link to post
Share on other sites

Neither Malwarebytes or what it has in Quarantine will not affect any upgrade / update of Windows 10.

It just does not have a bearing.   Yes, you can permanently delete what is in the Quarantine but just be very sure you only do that by using the option in Malwarebytes itself.

Yes I highly encourage that you get Build 1909   for Windows 10.

Link to post
Share on other sites

Hi, I tried updating Windows 10 to the 1909 build.
The first time I tried, the update failed and it told me that my antivirus was somehow interfering.
So I rebooted the laptop and tried again, this time it worked, it took about 2 hours and, during one of the many automatic rebooting, it was stuck for a long time on 86%.

However, now it finished and I turned on my laptop to check. Nothing changed and windows security is still not working (as usual, right after turning on the computer, the windows security icon briefly flashes in the bottom right of the screen, it is shown with a yellow mark indicating something wrong, it remains visible for a fraction of a second and then disappears).

To check if the update was successful, I typed:


WIN + R;
"winver"

The dialog box that pops-up shows that the installed version is still 1809, indicating that the update was not successful, although I did not receive any notification stating this.

Any possible reason for this? Is it possible that Malwarebytes really interfered somehow? (I have a premium license now)

 

Link to post
Share on other sites

Let me add some more details to the previous post.

For my first update tentative, i downloaded the version 1909 update from Microsoft website:
https://www.microsoft.com/it-it/software-download/windows10

From that executable file, the "windows update assistant" was installed and performed the operation, without success.

However,  I just noticed that the windows 10 app "Windows Update" (a section of "Updates and security") is now working again, while it was not working for the past month or so, not giving me any notification and not finding updates even if I ran it manually.
Anyway, I run it today and it found some "cumulative" updates, I installed a first one, rebooted, and then a second one. Scanned again for updates and it finally found the "Windows 10, version 1909 " update, and it is currently trying to install it (fingers crossed).

Meanwhile, I also opened the Microsoft Store app (which I never do, it was totally random), and noticed 26 pending updates that had stopped all at the same level, something like 98% through. So I just restored them all manually and the Microsoft Store app was able to complete them, fortunately. 

The OS update is now at 14%, I'll let you know if it is successfull

Link to post
Share on other sites

Final update:

The OS update worked! 
My understanding is that the malware that infected my laptop had disabled windows defender and windows update; removing the infected files with malwarebytes has stopped the infection from spreading, and finally the fixlist you made for me has allowed them to work again, is this correct?

If it is so, then again I thank you very much for your help! 

Now I am not experiencing issues with the laptop, except this message "Intel® Optane™ Memory Pinning Error: Unable to load DLL ‘iaStorAfsServiceApi.dll" popping up every time I right click on a folder. However from a google search I understand it is a problem related to DELL and the latest windows update, so should be unrelated to malware.

What should I do next? remove all the restoration softwares I used so far?

Link to post
Share on other sites

Good afternoon.   I hope you are enjoying the week-end.

Bravo to you for having got the update to Windows 10 Build 1909.   That is the fall 2019  update.  It brings the operating system up to the current release.

I am unsure what you mean by "restoration software".    If you mean the tools I had you use before,  I will guide you on how to clean those up.   No need to rush on those.

 

I had you name a report tool to Gazork  a few days ago.  It is on the Downloads folder.   It is the FRST tool with a name GAZORK.

I would like to see a fresh report from that tool.

 

Go to the Downloads folder   ( using Windows File Explorer )

 

Double click on  GAZORK    to start the tool.
Click YES when prompted by Windows U A C prompt to allow it to run.

Click Yes when the* disclaimer* appears .
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

 

image.png.5d47975010636d1d032768cefa8d6625.png

 

 

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.   Much patience is a good thing.

 

 


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Link to post
Share on other sites

Thanks for the FRST reports.   The "iastor" dll is related to a Intel driver   for   Rapid Storage Technology.   It is not a malware nor is it a Windows Update thing, I do not believe.

This is a common driver on personal computers.

I do not see any logged events by Windows that mention it.   I would suggest you consider to stop doing "right" clicks  on folders while using Windows File Explorer.

I have seen a few cases where the right click with the mouse in Windows Explorer leads to aborts if some class ID's  are messed up or are leftover.

And yes, this issue is not malware.

Try not doing right clicks in Windows Explorer.   Let me ask, why do you need the right click in that way ?  what are you after to do ?

 

What I would suggest to do just one time is:    To do a Windows Shutdown >>> Restart.

 

 

Link to post
Share on other sites

This happens even if I want to simply copy-paste a file, or zip a folder, and as I right click to perform the operation, the notification shows up.
Another instance is that I would right click to see recently viewed items, and open one of them. 

Anyway, I tried rebooting several times, as well as manually updating the drivers, but none of this worked. The suggestion I found online was to simply uninstall Optane. 

Link to post
Share on other sites

Go ahead with uninstalling Optane.   That one does have a 'connection'   with the right click functionality since it has a related Class ID hook.

Once you finish the uninstall,  do a Windows shutdown  >> Restart

Link to post
Share on other sites

I am attaching a custom fix script named FIXLIST.txt

It is meant to remove the class ID  association on Explorer   for Optane   so that File Explorer works normally when you use a right click.

Delete the prior copy on your system that I had you save before .....delete the old Fixlist   off the Downloads folder

 

This custom script is for  Fabb    only / for this machine only.
Close and save any open work files before starting this procedure. 

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Fixlist.txt

Link to post
Share on other sites

Hello,
The old Fixlist.txt file actually disappeared right after I performed the fix, is this weird?
I used the FRST tool I had named "gazork.exe" for the first fix, and I am going to do the same for this next one

Link to post
Share on other sites

After a few tentatives,  I managed to "restore" optane app from the "programs and features" tab of the control panel, so I don't need to uninstall it, nor do I need to run the Fixlist anymore

Link to post
Share on other sites

Hello.

I have received your last 2 replies.   We had done a number of scans during this case.  As I recall, there is no issue that is related to malware by this point.

Is there something else you need at this point?

Link to post
Share on other sites

That is fine.   I am glad to have helped.

Now some cleanups of the tools I had you use.    To remove the FRST64 tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

.

Delete  mb-support-1.6.0.774.exe

Delete mbst-grab-results.zip   on the Desktop

Delete SecurityCheck.exe

Delete msert.exe

,

 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Keep in mind that you can still Upgrade for free to Windows 10 from Microsoft.    That would get this machine onto a more modern and more secure Operating System,  At zero cost.

Ed Bott at ZDNet has a excellent resource article   from May 2020

https://www.zdnet.com/article/hands-on-with-windows-10-upgrading-installing-and-activating-in-the-real-world/

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.