Jump to content

Suspicious program in startup files that changes its name


Recommended Posts

This is an issue I've been having for a few days now. There's a peculiar program in my startup applications that changes its name from -silent to jumbled characters, and occasionally just disappears entirely. However, it hasn't done any harm to my system, but I'd like to find the source and remove it from the system entirely. 

It isn't detected by malwarebytes, anti-rootkit, adware cleaner, task manager, or autoruns. If someone could help me with this, it would be greatly appreciated.

weird file 2.png

weird file.png

malware log.txt FRST.txt Addition.txt

Link to post
Share on other sites

Hello @TheMobile

I'm not seeing any obvious infection. Your system is experiencing some program crashing issue.

Let's try the following clean up and see if it helps or not

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

You mean the one in the red box, correct?

image.png

 

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures and Check VirusTotal.com and Submit Unknown Images
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

 

image.png

 

Thanks

 

Link to post
Share on other sites

It does not look like it is a direct auto-start item. It may be a dynamic launch from another dll or application once the computer does start.

Let's go ahead though and run some other scans to make sure we're not dealing with some sort of new infection. Of course it could simply be some odd caching in the Windows App for Startups too. Many of the Apps seem to have quirks in them.

 

Scanner 1

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not.

 

Scanner 2

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Thanks

 

Link to post
Share on other sites

In the top left, type in  "silent" and see if it comes back with anything

Try clicking on the left "Apps & features" and see if you can locate it in that list and if there are any options

Try the following

How to Reset and Rebuild Search Index in Windows 10
https://www.tenforums.com/tutorials/58569-rebuild-search-index-windows-10-a.html

 

 

Link to post
Share on other sites

I'm not really sure exactly how Microsoft builds that list in Windows 10

Autoruns is the best known program out there for finding auto-start entries and aside from that one oddball which you've removed I'm not seeing it listed either.

Please go ahead and restart the computer one more time. Then run FRST again and post back both new logs again and I'll take another look.

If you start into Safe Mode does it still show up?

 

Link to post
Share on other sites

Hello @TheMobile

I'm sorry but I don't know what is actually causing this. The other tools are not seeing it.

Autoruns
FRST
Malwarebytes Anti Rootkit (MBAR)
Malwarebytes 4
ESET Antivirus
Kaspersky Antivirus

 

Let's go ahead and try a couple of other scanning tools

 

Please perform a Windows Defender Offline scan and post back the results

Windows Defender Offline is a powerful offline scanning tool that runs from a trusted environment, without starting your operating system.
This topic describes using Windows Defender Offline in Windows 10, Windows 8.1, and Windows 7.

Using Windows Defender Offline on Windows 10

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options.
    • In previous versions of Windows: Under Threat history, select Run a new advanced scan.
  3. Select Windows Defender Offline scan, and then select Scan now.

 

Where can I find scan results?

 

To see the Windows Defender Offline scan results:

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options, and then select Threat history.
    • In previous versions of Windows: Select Threat history,

 

 

 

Next, let me have you run the following

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

Link to post
Share on other sites

What about the other offline scan? Though I doubt ti found anything either. The computer shows no signs of being infected.

You might try contacting Microsoft Support but I doubt they'd find anything either but no harm in trying.

At this time I'm sorry, I don't know what is causing it, it could simply be some type of corruption.

Probably the fastest way to deal with this would be to backup your data to an external source. Format the drive and reinstall Windows.

The complexity of finding, preventing, and cleanup from malware

 

 

Link to post
Share on other sites
  • 2 weeks later...

Okay then. Thanks for the status update. I will go ahead then and close your topic.

Best wishes and stay safe out there. If there is something else we can assist you with please let us know. Sorry I was not able to determine the root cause.

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.