Jump to content

VirTool:MSIL/Lore.AD!MTB


Go to solution Solved by AdvancedSetup,

Recommended Posts

Hi all

First of all, sorry for my english.

I have had an infection with VirTool:MSIL/Lore.AD!MTB and VirTool:Win32/DefenderTamperingRestore two days ago. My pc was infected and disabled Windows Security Services forever.

That was possible due to installing a program 2/11 at 19:41 (exactly Aiseesoft Screen Recorder). Seeing that Windows Defender wasnt working and my cpu was working 100% I checked my pc with Mallwarebytes, which detected the virus and send him to quarantine.

With Windows Security Security disabled I installed Kaspersky Total Security but I dont know:

1-How much did the virus damage my pc?

2-Stole my pdf files?

3-Is still in risk?

4-Can I revive my Windows Security Services?

I am going to upload Addition and FRST files ( I dont know if I must to translate any part)

I would appreciate any help. Regards

 

Addition_04-11-2020 15.08.49.txt FRST_04-11-2020 15.08.49.txt

Link to post
Share on other sites
  • Root Admin

Hello @leopoldisio

This may simply be a false positive or heuristic detection from Windows Defender. The logs don't indicate an obvious infection, a few general PC issues possibly.

Please open Kaspersky and check for updates. Then do a full system scan and see if it detects anything and let me know.

 

Link to post
Share on other sites
50 minutes ago, AdvancedSetup said:

Hello @leopoldisio

This may simply be a false positive or heuristic detection from Windows Defender. The logs don't indicate an obvious infection, a few general PC issues possibly.

Please open Kaspersky and check for updates. Then do a full system scan and see if it detects anything and let me know.

 

Hello AdvancedSetup. Thanks for reply

Kaspersky didnt detect anything.

About "false positive":

-Windows Defender detected it
-Mallwarebytes detected it and send to quarantine
-Like my Security system was destroyed I installed Kaspersky trial version (Kaspersky did me delete Mallwarebytes)
-Kaspersky detected the virus in rar also.
-Mallware/Virus created folders (C:\ProgramData\49QQIeD\nmhost.exe) and created routes in registry.

-And destroyed my Security system (attached captures) *wscsvc is not my own capture but is exacly same

So, Can I revive my Windows Security System?

 

 

Sin título1.png

Copia 3.jpg

Link to post
Share on other sites
  • Root Admin

Okay, please disable Kaspersky and run the following.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 

 

Spoiler

 

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

  • Thanks 1
Link to post
Share on other sites
6 minutes ago, AdvancedSetup said:

Can you please post back the original protection or scan log showing what Malwarebytes found and removed

 

Like I told you, Kaspersky did me delete Mallwarebytes, so that log currently i have not.

From Kaspersky

Descripción del resultado :    Eliminado (deleted)
Tipo :    troyano
Nombre :    Trojan.MSIL.Inject.acfka
Precisión :    Exacta
Nivel de amenaza :    Alta
Tipo de objeto :    Archivo
Nombre de objeto :    Aiseesoft.Screen.Recorder.30.09.exe
Ruta de objeto :    C:\Users\Jose\Desktop
MD5 :    BC289C7A250578828CF3A2EBB82A0FA1

From "Addition". Windows Defender

Windows Defender:
===================================
Date: 2020-11-02 20:10:58.872
Description:
Antivirus de Windows Defender detectó malware u otro software potencialmente no deseado.
Para más información, consulta lo siguiente:
https://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:MSIL/Lore.AD!MTB&threatid=2147742672&enterprise=0
Nombre: VirTool:MSIL/Lore.AD!MTB
Id.: 2147742672
Gravedad: Grave
Categoría: Herramienta
Ruta de acceso: amsi:_C:\ProgramData\49QQIeD\nmhost.exe
Origen de detección: Desconocido
Tipo de detección: Concreto
Origen de detección: Sistema
Usuario: NT AUTHORITY\SYSTEM
Nombre de proceso: Unknown
Versión de inteligencia de seguridad: AV: 1.327.212.0, AS: 1.327.212.0, NIS: 0.0.0.0
Versión de motor: AM: 1.1.17600.5, NIS: 0.0.0.0

Date: 2020-11-02 20:10:58.871
Description:
Antivirus de Windows Defender detectó malware u otro software potencialmente no deseado.
Para más información, consulta lo siguiente:
https://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:Win32/DefenderTamperingRestore&threatid=2147741622&enterprise=0
Nombre: VirTool:Win32/DefenderTamperingRestore
Id.: 2147741622
Gravedad: Grave
Categoría: Herramienta
Ruta de acceso: regkeyvalue:_hklm\software\policies\microsoft\windows defender\real-time protection\\DisableBehaviorMonitoring
Origen de detección: Desconocido
Tipo de detección: Concreto
Origen de detección: Sistema
Usuario: NT AUTHORITY\SYSTEM
Nombre de proceso: Unknown
Versión de inteligencia de seguridad: AV: 1.327.212.0, AS: 1.327.212.0, NIS: 0.0.0.0
Versión de motor: AM: 1.1.17600.5, NIS: 0.0.0.0

Date: 2020-11-02 19:41:30.049
Description:
Antivirus de Windows Defender detectó malware u otro software potencialmente no deseado.
Para más información, consulta lo siguiente:
https://go.microsoft.com/fwlink/?linkid=37020&name=VirTool:MSIL/Lore.AD!MTB&threatid=2147742672&enterprise=0
Nombre: VirTool:MSIL/Lore.AD!MTB
Id.: 2147742672
Gravedad: Grave
Categoría: Herramienta
Ruta de acceso: amsi:_C:\ProgramData\49QQIeD\nmhost.exe
Origen de detección: Desconocido
Tipo de detección: Concreto
Origen de detección: AMSI
Usuario: I7\Jose
Nombre de proceso: C:\ProgramData\49QQIeD\nmhost.exe
Versión de inteligencia de seguridad: AV: 1.327.207.0, AS: 1.327.207.0, NIS: 1.327.207.0
Versión de motor: AM: 1.1.17600.5, NIS: 1.1.17600.5

Link to post
Share on other sites
  • Root Admin

But nothing is being found now and that is too generic.

Please disable all security software temporarily and run the following

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

 

  • Thanks 1
Link to post
Share on other sites
  • Root Admin

Well the issue or concern is your current system. There are now multiple scanners that are no longer finding anything wrong with your computer.

Where it came from or got on your computer I have no idea, but it appears to be gone now.

What is the link on Virus Total for the file just to verify

Currently the computer would appear to be clean

 

 

  • Thanks 1
Link to post
Share on other sites
8 hours ago, AdvancedSetup said:

Well the issue or concern is your current system. There are now multiple scanners that are no longer finding anything wrong with your computer.

Where it came from or got on your computer I have no idea, but it appears to be gone now.

What is the link on Virus Total for the file just to verify

Currently the computer would appear to be clean

 

 

I know where the executable is. If you dont execute him the antivirus wont detect it...

I investigated, and each time you install the program a differente virus is infected 🤢
Link to post
Share on other sites
  • Root Admin

I'm sorry but we don't support piracy. This is an attempt by someone to try trick users into installing their Trojan and packing it all inside a single compressed exe file. This is not a legit or valid file as no valid 40MB executable exists.

As for potential damage, we can attempt to repair the system, but please for your own safety discontinue visiting sites like this and downloading files. Please visit well known download sites or original vendor sites.

 

  • Thanks 1
Link to post
Share on other sites
  • Root Admin

Part of what the file does

image.png

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: This fix will reset all network connections and reset the Firewall to default values. If you need any static information please save or export before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

  • Thanks 1
Link to post
Share on other sites
  • Root Admin

Please run the following for me.

 

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

  • Thanks 1
Link to post
Share on other sites
8 minutes ago, AdvancedSetup said:

Please run the following for me.

 

 

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed.

 

 

MTB.txt

Link to post
Share on other sites
  • Root Admin

Please disable all security software temporarily

If you already have the latest version of our MBST tool then open it with Admin rights, otherwise

Download the Malwarebytes Support Tool.

Click on Advanced in the left-hand panel

image.png

 

Place a check mark on all 4 items under Repair System

image.png

Then click on the Repair System button

Allow the computer to restart when done. If it does not restart on it's own then please restart it on your own.

 

 

After the restart then run the Microsoft Safety Scanner

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

  • Thanks 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.