emar Posted July 4, 2020 ID:1392106 Share Posted July 4, 2020 Good morning everyone, I'm new in this forum, I really hope you can help me. Yesterday I've find something strange in the behaviour of the PC: Windows Defender doesn't find any problem but when I open its history it crashes. I've find the name of the maleware before the last crash (Trojan:PowerShell/Mountsi.A!ml). Running MalwareBytes I've found some malewares so I eliminate them but the problem is still there! Thanks. Link to post Share on other sites More sharing options...
kevinf80 Posted July 4, 2020 ID:1392113 Share Posted July 4, 2020 Hello emar and welcome to malwarebytes.... Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ or,https://downloads.malwarebytes.com/file/mb4_offline Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > "settings" > "security tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Single click on the target sight above scanner window. In the new window select Report Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyExport toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Export to Txt" then attach the log to your reply... Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
emar Posted July 4, 2020 Author ID:1392114 Share Posted July 4, 2020 First of all thenks for the response. I have them already since I've tried to follow some instructions of other posts. btw I'm uploading the .txt of the malwarebytes report of yesterday with the threats I've eliminated too. Addition.txt AdwCleaner[C00].txt AdwCleaner[S00].txt FRST.txt Report 20200703.txt Report 20200704.txt Link to post Share on other sites More sharing options...
kevinf80 Posted July 4, 2020 ID:1392118 Share Posted July 4, 2020 Hello emar, Thanks for those logs, continue.. Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Next,Scan with Autoruns Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop. Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following: Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Privilege Level check the box next to Run this program as an administrator Click on Apply then click OK Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:Hide empty locationsHide Windows entries Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:Verify code signaturesCheck VirusTotal.com Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns. Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder Attach the ZIP folder you just created to your next reply Thanks, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
emar Posted July 4, 2020 Author ID:1392125 Share Posted July 4, 2020 Here you have! 😊 Fixlog.txt LAPTOP-8M2DQ3E1.zip msert.log Link to post Share on other sites More sharing options...
kevinf80 Posted July 4, 2020 ID:1392141 Share Posted July 4, 2020 Hiya emar, How does your PC respond now, any issues or concerns..? Thank you, Kevin.. Link to post Share on other sites More sharing options...
emar Posted July 4, 2020 Author ID:1392148 Share Posted July 4, 2020 Well, the PC is slowed down and Win Defender doesn't open...😅 Link to post Share on other sites More sharing options...
kevinf80 Posted July 4, 2020 ID:1392173 Share Posted July 4, 2020 Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392230 Share Posted July 5, 2020 Here they are. At one point (when it was scanning for other areas) it didn't respond! I hope it's okay. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392237 Share Posted July 5, 2020 (edited) Hello emar, Problem with AutoconfigURL has returned, continue please: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Please download Zemana AntiMalware and save it to your Desktop. Install the program and once the installation is complete it will start automatically. Without changing any options, press Scan to begin. After the short scan is finished, if threats are detected press Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Open Zemana again then do the following to get the latest report Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select "edit" then "paste" to copy the report there, then save and attach to reply.... Thanks, Kevin.. Edited July 5, 2020 by kevinf80 Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392238 Share Posted July 5, 2020 There's no fixlist in the reply Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392239 Share Posted July 5, 2020 (edited) Apologies.... will attach shortly. Not sure what happened but i`ve lost the file.... Edited July 5, 2020 by kevinf80 Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392240 Share Posted July 5, 2020 Hello emar, Fix is attached now.... Thanks, Kevin.. fixlist.txt Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392249 Share Posted July 5, 2020 Here 😀 20200705_Zemana_Report.txt Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392262 Share Posted July 5, 2020 (edited) Hello emar, How does your PC respond now, any issues or concerns...? Thank you, Kevin Edited July 5, 2020 by kevinf80 typo Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392264 Share Posted July 5, 2020 Way better now, the only issue is that win def history still crashes Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392265 Share Posted July 5, 2020 Can you zip and attach minidump folder for me to see "C:\Windows\minidump" you will possibly have to copy the folder to your desktop before compressing. I doubt you will be allowed in default directory.. Did you note any error codes as system crashed..? Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392267 Share Posted July 5, 2020 No error, it just coses. Btw the folder is down here but it is empty. minidump.zip Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392270 Share Posted July 5, 2020 Thats` unfortunate no dump files to check.... What exactly happens when the crash occurs, what are you doing. You say "Win Def" are you referring to windows updates...? Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392272 Share Posted July 5, 2020 I mean windows defender the built in antivirus. When I open it and I press on the protection history it shows me that he found the malware in the object (now it says also that the threat was eliminated) but after few seconds it the antivirus windows shut down. Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392282 Share Posted July 5, 2020 Ok, I understand. Try this please: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. FRST will force a reboot, see if Windows Defender now works correctly.. fixlist.txt Link to post Share on other sites More sharing options...
emar Posted July 5, 2020 Author ID:1392292 Share Posted July 5, 2020 Still chrashing... I put the fixlog down here. Btw some files (delftbase.jfm and delftbase.sdb) appeard. Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted July 5, 2020 ID:1392299 Share Posted July 5, 2020 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. fixlist.txt Link to post Share on other sites More sharing options...
emar Posted July 6, 2020 Author ID:1392374 Share Posted July 6, 2020 Here. Can I deleted those files .jfm and .sdb? Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted July 6, 2020 ID:1392382 Share Posted July 6, 2020 Hiya emar, Yes you can delete those files you quote, continue: Open an elevated command prompt, at the prompt type or copy/paste the following commands. Hit enter key after each command: CMD: RD /S /Q "%WinDir%\System32\GroupPolicy" CMD: gpupdate /force exit When those commands are completed reboot your system, does that make any difference with Windows Defender... Thank you, Kevin. Link to post Share on other sites More sharing options...
Recommended Posts