Jump to content
emar

Trojan:PowerShell/Mountsi.A!ml

Recommended Posts

"It's impossible to find the file" after the first cmd. I've thought it was because my pc language was italian but also changing the language of the system doesn't change.

Share this post


Link to post
Share on other sites

It is the message it come out when I put the comand in the prompt

Share this post


Link to post
Share on other sites

Is command prompt elevated, (running as Administrator)

Share this post


Link to post
Share on other sites

PS C:\Windows\system32> RD /S /Q "%WinDir%\System32\GroupPolicy"
Remove-Item : Impossibile trovare un parametro posizionale che accetta l'argomento '/Q'. ( TRAD: impossible to find a position parameter that accept arguent /Q)
In riga:1 car:1
+ RD /S /Q "%WinDir%\System32\GroupPolicy"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Remove-Item], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.RemoveItemCommand

Share this post


Link to post
Share on other sites

You`ve ran through PoweShell, not Command Prompt...

Share this post


Link to post
Share on other sites

Hiya emar,

I just check your first FRST log, you have Windows 10 home edition, unfortunately you need Windows minimum of Professional version to access Group Policy. At least we know why the commands do not work.

Also from the secondary FRST log we can see that Windows Defender is active and up to date...

Quote

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

Is it possible that you could post a screen shot of what exactly happens with Defender when it crashes or closes...

Also can you open hidden icons on Taskbar, does Windows Defender show as healthy "Green" tick or unhealthy "Red" tick..

Thanks,

Kevin..

WD.JPG

Share this post


Link to post
Share on other sites

I see that Windows Defender shows as healthy, the rest of the video I cannot translate so am really lost off. Can you translate

 

Share this post


Link to post
Share on other sites

At the end I open the history of reports of windows defender and, after loading the past threats, as you can see it shut down out of the blue

Share this post


Link to post
Share on other sites

Hello emar,

That is odd for sure, i`ve never heard of or come across it myself so am not sure why it happens. I believe your system is now clean, so do not put this down to malware or infection.

Please download VEW by Vino Rosso from HERE and save it to your Desktop.
 
  • Double-click VEW.exe. to start, Vista and Windows 7/8/10 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 15 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.



Please post the Output log in your next reply.

Thanks,

Kevin

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for that log emar, unfortunately we are still no further forward. All of those entries for Application and System errors are related to a Smart Audio service. Lets run some maintenance checks..

Open and elevated Command Promt (Admin)

Accept UAC alert if prompted...

At the Command prompt, type

CHKDSK  /R or copy/paste

hit the Enter key.

You will get a message that the drive cannot be locked, but that the command can be scheduled to run at the next boot - hit the Y key, press Enter, and then reboot.

The CHKDSK may take a few hours depending on the size of the drive, so be patient!

After the CHKDSK has run use the following instructions to find the log:

Check Disk report:
 
  • Press the WindowsKey + R on your keyboard at the same time. Type eventvwr into the run box and click OK.
  • In the left panel, expand Windows Logs and then click on Application.
  • Now, on the right side, click on Filter Current Log.
  • Under Event Sources, (expand the drop down arrow) check only Wininit and click OK.
  • You mayl be presented with one or multiple Wininit logs.
  • Click on an entry corresponding to the date and time of the disk check.
  • On the top main menu, click Action > Copy > Copy Details as Text.
  • Paste the contents into your next reply.

Thanks,

Kevin..

Edited by kevinf80

Share this post


Link to post
Share on other sites

Nome registro: Application
Origine:       Microsoft-Windows-Wininit
Data:          07/07/2020 13:07:05
ID evento:     1001
Categoria attività:Nessuna
Livello:       Informazioni
Parole chiave: Classico
Utente:        N/D
Computer:      LAPTOP-8M2DQ3E1
Descrizione:


Controllo in corso del file system su 😄
Il file system è di tipo NTFS.
L'etichetta del volume è Windows-SSD.

Il disco sarà ora controllato come pianificato.
Il disco sarà ora controllato.                                            

Fase 1: analisi della struttura del file system di base in corso...
  1532416 record file elaborati.                                                        

Verifica file completata.
  12271 record di file di grandi dimensioni elaborati.                      

  0 record file non validi elaborati.                                    


Fase 2: analisi del collegamento dei nomi file in corso...
  1038 record reparse elaborati.                                      

  1865578 voci di indice elaborate.                                                      

Verifica indici completata.
  0 file non indicizzati analizzati.                                  

  0 file non indicizzati ripristinati nella cartella dei file persi e ritrovati.                    

  1038 record reparse elaborati.                                      


Fase 3: analisi dei descrittori di sicurezza in corso...
Pulizia di 3157 voci inutilizzate dall'indice $SII del file 0x9.
Pulizia di 3157 voci inutilizzate dall'indice $SDH del file 0x9.
Pulizia dei descrittori di sicurezza inutilizzati 3157.
Verifica descrittori di sicurezza completata.
  166582 file di dati elaborati.                                          

CHKDSK sta verificando il journal USN...
  41626264 byte USN elaborati.                                                          

Verifica del journal USN completata.

Fase 4: ricerca di cluster danneggiati nei dati dei file utente in corso...
  1532400 file elaborati.                                                              

Verifica dei dati del file completata.

Fase 5: ricerca di cluster liberi danneggiati in corso...
  79448658 cluster liberi elaborati.                                                      

Verifica dello spazio disponibile completata.

Analisi del file system effettuata. Nessun problema rilevato.
Non sono necessarie ulteriori azioni.

 498799615 KB di spazio totale su disco.
 178756128 KB in 1202063 file.
    589096 KB in 166583 indici.
         0 KB in settori danneggiati.
   1659755 KB in uso dal sistema.
     65536 KB occupati dal file registro.
 317794636 KB disponibili su disco.

      4096 byte in ogni unità di allocazione.
 124699903 unità totali di allocazione su disco.
  79448659 unità di allocazione disponibili su disco.

Informazioni interne:
00 62 17 00 50 e2 14 00 20 e2 24 00 00 00 00 00  .b..P... .$.....
55 03 00 00 b9 00 00 00 00 00 00 00 00 00 00 00  U...............

Controllo del disco completato.
Attendere il riavvio del computer.

XML evento:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
    <EventID Qualifiers="16384">1001</EventID>
    <Version>0</Version>
    <Level>4</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2020-07-07T11:07:05.306576700Z" />
    <EventRecordID>70481</EventRecordID>
    <Correlation />
    <Execution ProcessID="0" ThreadID="0" />
    <Channel>Application</Channel>
    <Computer>LAPTOP-8M2DQ3E1</Computer>
    <Security />
  </System>
  <EventData>
    <Data>

Controllo in corso del file system su 😄
Il file system è di tipo NTFS.
L'etichetta del volume è Windows-SSD.

Il disco sarà ora controllato come pianificato.
Il disco sarà ora controllato.                                            

Fase 1: analisi della struttura del file system di base in corso...
  1532416 record file elaborati.                                                        

Verifica file completata.
  12271 record di file di grandi dimensioni elaborati.                      

  0 record file non validi elaborati.                                    


Fase 2: analisi del collegamento dei nomi file in corso...
  1038 record reparse elaborati.                                      

  1865578 voci di indice elaborate.                                                      

Verifica indici completata.
  0 file non indicizzati analizzati.                                  

  0 file non indicizzati ripristinati nella cartella dei file persi e ritrovati.                    

  1038 record reparse elaborati.                                      


Fase 3: analisi dei descrittori di sicurezza in corso...
Pulizia di 3157 voci inutilizzate dall'indice $SII del file 0x9.
Pulizia di 3157 voci inutilizzate dall'indice $SDH del file 0x9.
Pulizia dei descrittori di sicurezza inutilizzati 3157.
Verifica descrittori di sicurezza completata.
  166582 file di dati elaborati.                                          

CHKDSK sta verificando il journal USN...
  41626264 byte USN elaborati.                                                          

Verifica del journal USN completata.

Fase 4: ricerca di cluster danneggiati nei dati dei file utente in corso...
  1532400 file elaborati.                                                              

Verifica dei dati del file completata.

Fase 5: ricerca di cluster liberi danneggiati in corso...
  79448658 cluster liberi elaborati.                                                      

Verifica dello spazio disponibile completata.

Analisi del file system effettuata. Nessun problema rilevato.
Non sono necessarie ulteriori azioni.

 498799615 KB di spazio totale su disco.
 178756128 KB in 1202063 file.
    589096 KB in 166583 indici.
         0 KB in settori danneggiati.
   1659755 KB in uso dal sistema.
     65536 KB occupati dal file registro.
 317794636 KB disponibili su disco.

      4096 byte in ogni unità di allocazione.
 124699903 unità totali di allocazione su disco.
  79448659 unità di allocazione disponibili su disco.

Informazioni interne:
00 62 17 00 50 e2 14 00 20 e2 24 00 00 00 00 00  .b..P... .$.....
55 03 00 00 b9 00 00 00 00 00 00 00 00 00 00 00  U...............

Controllo del disco completato.
Attendere il riavvio del computer.
</Data>
  </EventData>
</Event>

Share this post


Link to post
Share on other sites

Hiya emar,

Thanks for that log, continue:

Open an elevated Command Promt (Admin)

At the Command prompt, type or copy/paste

SFC /SCANNOW

hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.

Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply.
 
Thanks,
 
Kevin..

Share this post


Link to post
Share on other sites

Still the same! Could be simply an update fault?

Share this post


Link to post
Share on other sites

hiya emar,

I suppose it could be an update fault, or possibly registry damage from the infection. If we cannot find a fix then the only option left would be to "refresh" Windows 10. Refresh does save all personal files and folders, music, vids, pictures etc.. Unfortunately any software installed after the original Windows install would be lost and require installing again..

Before that i`ve attached two zipped Registry files to the reply, WinDefend.zip and wscsvc.zip. Download and unzip those files to your Desktop so you then have WinDefend.reg and wscsvc.reg

Right click on each file in turn and select Merge agree any prompts. When both files have been merged reboot your system and recheck defender to see if any change...

Thank you,

Kevin

 

WinDefend.zip wscsvc.zip

Share this post


Link to post
Share on other sites

wscsvc merged correctly, winDefend gives me an error! I think i'll reinstall windows in the following days. Do you think that it should be better to install another antivirus for the moment, untill I reinstall windows? in case windows defender is damnaged?

Anyway thanks for your time!

Share this post


Link to post
Share on other sites

Hiya emar,

I do not believe Windows Defender is actually damaged, it has a green tick on the taskbar icon. If it was not working then you would know for sure as security centre would give an alert...

I would just refresh your system, is easier/quicker than a full reinstall...

https://www.tenforums.com/tutorials/4090-refresh-windows-10-a.html

Regards,

Kevin

Share this post


Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.