leopoldisio Posted November 4, 2020 ID:1418520 Share Posted November 4, 2020 Hi all First of all, sorry for my english. I have had an infection with VirTool:MSIL/Lore.AD!MTB and VirTool:Win32/DefenderTamperingRestore two days ago. My pc was infected and disabled Windows Security Services forever. That was possible due to installing a program 2/11 at 19:41 (exactly Aiseesoft Screen Recorder). Seeing that Windows Defender wasnt working and my cpu was working 100% I checked my pc with Mallwarebytes, which detected the virus and send him to quarantine. With Windows Security Security disabled I installed Kaspersky Total Security but I dont know: 1-How much did the virus damage my pc? 2-Stole my pdf files? 3-Is still in risk? 4-Can I revive my Windows Security Services? I am going to upload Addition and FRST files ( I dont know if I must to translate any part) I would appreciate any help. Regards Addition_04-11-2020 15.08.49.txt FRST_04-11-2020 15.08.49.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 4, 2020 Root Admin ID:1418523 Share Posted November 4, 2020 Hello @leopoldisio This may simply be a false positive or heuristic detection from Windows Defender. The logs don't indicate an obvious infection, a few general PC issues possibly. Please open Kaspersky and check for updates. Then do a full system scan and see if it detects anything and let me know. Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418533 Share Posted November 5, 2020 50 minutes ago, AdvancedSetup said: Hello @leopoldisio This may simply be a false positive or heuristic detection from Windows Defender. The logs don't indicate an obvious infection, a few general PC issues possibly. Please open Kaspersky and check for updates. Then do a full system scan and see if it detects anything and let me know. Hello AdvancedSetup. Thanks for reply Kaspersky didnt detect anything. About "false positive": -Windows Defender detected it -Mallwarebytes detected it and send to quarantine -Like my Security system was destroyed I installed Kaspersky trial version (Kaspersky did me delete Mallwarebytes) -Kaspersky detected the virus in rar also. -Mallware/Virus created folders (C:\ProgramData\49QQIeD\nmhost.exe) and created routes in registry. -And destroyed my Security system (attached captures) *wscsvc is not my own capture but is exacly same So, Can I revive my Windows Security System? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418536 Share Posted November 5, 2020 Okay, please disable Kaspersky and run the following. Please run the following steps and post back the logs as an attachment when ready. Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed. Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed. If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download. Spoiler Spoiler When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users. Example of Microsoft Edge blocking the download STEP 01 If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan. If you don't have Malwarebytes installed yet please download it from here and install it. Once installed then open Malwarebytes and select Scan and let it run. Once the scan is completed make sure you have it quarantine any detections it finds. If no detections were found click on the Save results drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply. If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run. STEP 02 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Double-click to run the program Accept the End User License Agreement. Wait until the database is updated. Click Scan Now. When finished, if items are found please click Quarantine. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Attach or Copy its content into your next reply. RESTART THE COMPUTER Before running Step 3 STEP 03 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time Please attach the Additions.txt log to your reply as well. On your next reply, you should be attaching frst.txt and additions.txt to your post, every time. Thanks 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418550 Share Posted November 5, 2020 Attached Thanks Mallwarebytes.txt AdwCleaner[C03].txt Addition_05-11-2020 02.40.46.txt FRST_05-11-2020 02.40.46.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418552 Share Posted November 5, 2020 Can you please post back the original protection or scan log showing what Malwarebytes found and removed 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418555 Share Posted November 5, 2020 6 minutes ago, AdvancedSetup said: Can you please post back the original protection or scan log showing what Malwarebytes found and removed Like I told you, Kaspersky did me delete Mallwarebytes, so that log currently i have not. From Kaspersky Descripción del resultado : Eliminado (deleted) Tipo : troyano Nombre : Trojan.MSIL.Inject.acfka Precisión : Exacta Nivel de amenaza : Alta Tipo de objeto : Archivo Nombre de objeto : Aiseesoft.Screen.Recorder.30.09.exe Ruta de objeto : C:\Users\Jose\Desktop MD5 : BC289C7A250578828CF3A2EBB82A0FA1 From "Addition". Windows Defender Windows Defender: =================================== Date: 2020-11-02 20:10:58.872 Description: Antivirus de Windows Defender detectó malware u otro software potencialmente no deseado. Para más información, consulta lo siguiente:https://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:MSIL/Lore.AD!MTB&threatid=2147742672&enterprise=0 Nombre: VirTool:MSIL/Lore.AD!MTB Id.: 2147742672 Gravedad: Grave Categoría: Herramienta Ruta de acceso: amsi:_C:\ProgramData\49QQIeD\nmhost.exe Origen de detección: Desconocido Tipo de detección: Concreto Origen de detección: Sistema Usuario: NT AUTHORITY\SYSTEM Nombre de proceso: Unknown Versión de inteligencia de seguridad: AV: 1.327.212.0, AS: 1.327.212.0, NIS: 0.0.0.0 Versión de motor: AM: 1.1.17600.5, NIS: 0.0.0.0 Date: 2020-11-02 20:10:58.871 Description: Antivirus de Windows Defender detectó malware u otro software potencialmente no deseado. Para más información, consulta lo siguiente:https://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:Win32/DefenderTamperingRestore&threatid=2147741622&enterprise=0 Nombre: VirTool:Win32/DefenderTamperingRestore Id.: 2147741622 Gravedad: Grave Categoría: Herramienta Ruta de acceso: regkeyvalue:_hklm\software\policies\microsoft\windows defender\real-time protection\\DisableBehaviorMonitoring Origen de detección: Desconocido Tipo de detección: Concreto Origen de detección: Sistema Usuario: NT AUTHORITY\SYSTEM Nombre de proceso: Unknown Versión de inteligencia de seguridad: AV: 1.327.212.0, AS: 1.327.212.0, NIS: 0.0.0.0 Versión de motor: AM: 1.1.17600.5, NIS: 0.0.0.0 Date: 2020-11-02 19:41:30.049 Description: Antivirus de Windows Defender detectó malware u otro software potencialmente no deseado. Para más información, consulta lo siguiente:https://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:MSIL/Lore.AD!MTB&threatid=2147742672&enterprise=0 Nombre: VirTool:MSIL/Lore.AD!MTB Id.: 2147742672 Gravedad: Grave Categoría: Herramienta Ruta de acceso: amsi:_C:\ProgramData\49QQIeD\nmhost.exe Origen de detección: Desconocido Tipo de detección: Concreto Origen de detección: AMSI Usuario: I7\Jose Nombre de proceso: C:\ProgramData\49QQIeD\nmhost.exe Versión de inteligencia de seguridad: AV: 1.327.207.0, AS: 1.327.207.0, NIS: 1.327.207.0 Versión de motor: AM: 1.1.17600.5, NIS: 1.1.17600.5 Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418557 Share Posted November 5, 2020 I think Mallwarebytes detected like this https://blog.malwarebytes.com/detections/trojan-crypt/ But I am not sure... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418561 Share Posted November 5, 2020 But nothing is being found now and that is too generic. Please disable all security software temporarily and run the following Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking. I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418567 Share Posted November 5, 2020 Ok, I am going to scan with Eset P.D: I know where that virus is. If you want know it for any test in virus total for example, let me know. Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418574 Share Posted November 5, 2020 4 positives but without relation (in my opinion) Eset.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418581 Share Posted November 5, 2020 Well the issue or concern is your current system. There are now multiple scanners that are no longer finding anything wrong with your computer. Where it came from or got on your computer I have no idea, but it appears to be gone now. What is the link on Virus Total for the file just to verify Currently the computer would appear to be clean 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418678 Share Posted November 5, 2020 8 hours ago, AdvancedSetup said: Well the issue or concern is your current system. There are now multiple scanners that are no longer finding anything wrong with your computer. Where it came from or got on your computer I have no idea, but it appears to be gone now. What is the link on Virus Total for the file just to verify Currently the computer would appear to be clean I know where the executable is. If you dont execute him the antivirus wont detect it... I investigated, and each time you install the program a differente virus is infected 🤢 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418728 Share Posted November 5, 2020 Can you please safely zip the file and attach in a reply to me. Also give me the exact path where it's located. Thanks 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418833 Share Posted November 5, 2020 I'm sorry but we don't support piracy. This is an attempt by someone to try trick users into installing their Trojan and packing it all inside a single compressed exe file. This is not a legit or valid file as no valid 40MB executable exists. As for potential damage, we can attempt to repair the system, but please for your own safety discontinue visiting sites like this and downloading files. Please visit well known download sites or original vendor sites. 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 5, 2020 Author ID:1418840 Share Posted November 5, 2020 100% agree Could you delete my last post? I dont want problems about copyrights. Thanks Could we repair my system? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 5, 2020 Root Admin ID:1418854 Share Posted November 5, 2020 Part of what the file does Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. NOTE-3: This fix will reset all network connections and reset the Firewall to default values. If you need any static information please save or export before running this fix. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 6, 2020 Author ID:1418903 Share Posted November 6, 2020 Thanks I did it but I continue with same problem 🤒 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 6, 2020 Root Admin ID:1418907 Share Posted November 6, 2020 We're not done, but you need to post back the fixlog.txt file please @leopoldisio 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 6, 2020 Author ID:1418915 Share Posted November 6, 2020 18 minutes ago, AdvancedSetup said: We're not done, but you need to post back the fixlog.txt file please @leopoldisio Sorry I forgot it If you need any translate let me know. Thanks Fixlog_06-11-2020 03.16.37.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 6, 2020 Root Admin ID:1418917 Share Posted November 6, 2020 Please run the following for me. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 6, 2020 Author ID:1418918 Share Posted November 6, 2020 8 minutes ago, AdvancedSetup said: Please run the following for me. Please download MiniToolBox save it to your desktop and run it. Checkmark the following check-boxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using Reset FF Proxy Settings option Firefox should be closed. MTB.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 6, 2020 Root Admin ID:1418949 Share Posted November 6, 2020 Please disable all security software temporarily If you already have the latest version of our MBST tool then open it with Admin rights, otherwise Download the Malwarebytes Support Tool. Click on Advanced in the left-hand panel Place a check mark on all 4 items under Repair System Then click on the Repair System button Allow the computer to restart when done. If it does not restart on it's own then please restart it on your own. After the restart then run the Microsoft Safety Scanner The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Please let me know the results of this scan. The log is named MSERT.log the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. 1 Link to post Share on other sites More sharing options...
leopoldisio Posted November 6, 2020 Author ID:1418991 Share Posted November 6, 2020 Second program detected and removed a route in registry of Win32/DefenderTamperingRestoreTamper (However I continue with the problem) msert.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted November 6, 2020 Root Admin ID:1419013 Share Posted November 6, 2020 When you say you continue with "the problem" What is the specific problem you're having. Windows Defender won't enable? Link to post Share on other sites More sharing options...
Recommended Posts