Removed R@1n when I did a Malware scan. Now having problems.

Xeph · November 23, 2020

As the title says, I did a scan using Malware Bytes. Found 9 Malware in the registry all called R@1n, no other malware was found. Looked up info and this is basically to authenticate a cracked version of windows 10. Mine was downloaded straight from Windows so I thought I could remove them. After removing and restarting, I lost all privileges to my folders. I can no longer save anything in my downloads folder for example, I can't change ownership of the folder, nothing. I tried undo-ing the change Malwarebytes did, still doesn't work. Is there any way I can fix this?

Results.txt

AdvancedSetup · November 23, 2020

Hello @Xeph

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

Double-click to run it. When the tool opens click Yes to disclaimer.
Press the Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

Xeph · November 23, 2020

@AdvancedSetup Morning! Did the scanned and two things happened:

1) My Avira antivirus started putting in quarantine a lot of TR/Trash.Gen files, most if not all related to R@1n

2) Did the scan, Avira removed it due to it being potentially harmful. I restored it, told Avira to ignore and was able to scan. Got the FRST.txt log however "Additional" log txt was made. Not sure if the antivirus has anything to do with it.

FRST.txt

Xeph · November 23, 2020

However "addiotional" log txt wasnt*** made.

Maurice Naggar · November 23, 2020

Good morning Xeph. My name is Maurice. I can guide you going forward from here. [ Hope AdvancedSetup will forgive my intrusion.]

The FRST64 report was partial. It did not show the complete copy of FRST.txt. But that so, there is still 2 boogers EXE in the Windows folder, plus the booger has set a couple of debug points to keep its hooks in. This should be something we can get rid of my doing a special custom run. I read that you also have other issues on this machine. Those can be held back for later.

First, I see that you have FRST64.exe in your user folder. Can you go to that folder, right-click on FRST64.exe and RENANE it to XYLO.exe

That is so we can possibly get around any potential rejection or block issue.

The system will be rebooted after the script has run.

.

This custom script is for Xeph only / for this machine only.

Close and save any open work files before starting this procedure. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those.

The custom Fix script is going to be used by the XYLO ( FRST64) tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt to the folder C:\Users\Xeph

Start the Windows Explorer and then, to the C:\Users\Xeph folder.

RIGHT click on XYLO (FRST64 ) and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run.
to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity

Please know this will do a Windows Restart. Just let it do its thing.

Do let me know how things are overall, after all this.

Sincerely.

Fixlist.txt

Xeph · November 23, 2020

@Maurice Naggar Thanks for replying to the thread. So I did the fix and I attached the log. However, my problem still persists. If I try to download a file and put it in my downloads folder, it still says "you don't have permission to save in this location. Contact the administrator". Same thing if I try to change any of my old files in my folders, it won't give me permission to do so.

Fixlog.txt

Xeph · November 23, 2020

Update:

I have two hard drives. Local Disk (C:) and Disk (F:). C is my SSD and F is my HDD. I can rewrite and save things to my SSD now, the problem only persists in (F:). Not sure if that's important but thought I should mention it.

Maurice Naggar · November 23, 2020

Hi Xeph. Thanks for the report. That custom fix is a very worthwhile run & a very excellent result. This ought to have squashed the remains of the "KMS-R@1nHook" boogers. As to your other issue, please understand that not all can be cured in one single solitary swoop. We are more than likely looking at several passes. Much patience is needed ! One thing at a time !

Lets go careful with due attention & diligence. You had mentioned doing 1 scan very recently with Malwarebytes for Windows. I just want to have a copy of the last "Scan" run of that program.

locate the Scan run report; export out a copy; & then attach in with your reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[ 2 ]

Later on, I will get you to run a different report tool, to collect all the Malwarebytes logs and configuration.

For the next thing, I need a fresh report with XYLO ( FRST64).

Run report with XYLO

Right-click on XYLO and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes.

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Maurice Naggar · November 23, 2020

added note: I now see that you had attached the Malwarebytes run report from the 22nd NOV 10:40 PM

I see that it did not remove at that time due to

No Action By User

This is just info for now. Later on, I will guide you to a new run. There is still a few items to remove, using Malwarebytes for Windows.

Xeph · November 23, 2020

Malware report.txt @Maurice Naggar

Its fine, I'm in no rush. I was posting that info just in case it was important. Anywho, scan and reports have been posted! The report I'm posting is that one that showed the KMS R@1N that was found. Hopefully it'll help.

Addition.txt FRST.txt

Maurice Naggar · November 23, 2020

Hi. Thanks. You do not need to use the @

I do get all replies to this thread automatically.

The Malwarebytes for Windows version is needs to be updated to the very latest Component. Lets have you get updated to the very latest.

All program upgrades are at no charge.

Start Malwarebytes. Click Settings ( gear ) icon.

Now, click the tab marked GENERAL. Look for the button marked "Check for Updates" and click it. Be sure to follow all prompts. Lets be sure it is up-to-date.

That will hopefully insure that the program has the very latest Component Update.

[ 2 ]

In Malwarebytes , we want to do a special scan.
Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.
Then click the Security tab.

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈
Click it to get it ON if it does not show a blue-color
.

Then scroll down to the section Potentially Unwanted items. We need the next 2 lines ( for P U P & for P U M) to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control. We want all P U P & P U M to be marked for removal.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). 👈

🔻

Then click on Quarantine selected.

Then, locate the Scan run report; export out a copy; & then attach in with your reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

We will do more later.

Xeph · November 23, 2020

NewReport.txt

Sorry about the @'ing.

All done. It was already up to date and also did the changes. After scanning there were no new results. Still including the report just in case.

Maurice Naggar · November 23, 2020

Thanks. Now, one quick additional custom fix with XYLO.

First, delete the copy on your folder of the prior FIXLIST.txt

I have a new one to be Saved in the same folder as where you have XYLO. This will be a very quick run.