Jump to content

Removed R@1n when I did a Malware scan. Now having problems.


Xeph
 Share

Recommended Posts

As the title says, I did a scan using Malware Bytes.  Found 9 Malware in the registry all called R@1n, no other malware was found.  Looked up info and this is basically to authenticate a cracked version of windows 10.  Mine was downloaded straight from Windows so I thought I could remove them.  After removing and restarting, I lost all privileges to my folders.  I can no longer save anything in my downloads folder for example, I can't change ownership of the folder, nothing.  I tried undo-ing the change Malwarebytes did, still doesn't work.  Is there any way I can fix this? 

Results.txt

Link to post
Share on other sites

  • Root Admin

Hello @Xeph

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

@AdvancedSetup Morning!  Did the scanned and two things happened:

1)  My Avira antivirus started putting in quarantine a lot of TR/Trash.Gen files, most if not all related to R@1n

2)  Did the scan, Avira removed it due to it being potentially harmful.  I restored it, told Avira to ignore and was able to scan.  Got the FRST.txt log however "Additional" log txt was made.  Not sure if the antivirus has anything to do with it.

FRST.txt

Link to post
Share on other sites

Good morning Xeph.  My name is Maurice.  I can guide you going forward from here. [ Hope AdvancedSetup will forgive my intrusion.]

The FRST64 report was partial.  It did not show the complete copy of FRST.txt.   But that so, there is still 2 boogers EXE in the Windows folder, plus the booger has set a couple of debug points to keep its hooks in.  This should be something we can get rid of my doing a special custom run.  I read that you also have other issues on this machine.  Those can be held back for later.

First, I see that you have FRST64.exe in your user folder.  Can you go to that folder, right-click on FRST64.exe  and RENANE it to XYLO.exe

That is so we can possibly get around any potential rejection or block issue.

The system will be rebooted after the script has run.

.

This custom script is for  Xeph  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the XYLO   ( FRST64)   tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the   folder   C:\Users\Xeph


Start the Windows Explorer and then, to the C:\Users\Xeph  folder.


RIGHT click on  XYLO   (FRST64 )     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Link to post
Share on other sites

@Maurice Naggar Thanks for replying to the thread.  So I did the fix and I attached the log.  However, my problem still persists.  If I try to download a file and put it in my downloads folder, it still says "you don't have permission to save in this location.  Contact the administrator".  Same thing if I try to change any of my old files in my folders, it won't give me permission to do so.  

Fixlog.txt

Link to post
Share on other sites

Hi Xeph.   Thanks for the report.  That custom fix is a very worthwhile run & a very excellent result.  This ought to have squashed the remains of the "KMS-R@1nHook" boogers.   As to your other issue, please understand that not all can be cured in one single solitary swoop.  We are more than likely looking at several passes. Much patience is needed !   One thing at a time !

Lets go careful with due attention & diligence.  You had mentioned doing 1 scan very recently with Malwarebytes for Windows.  I just want to have a copy of the last "Scan" run of that program.

locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[ 2  ]

Later on, I will get you to run a different report tool, to collect all the Malwarebytes logs and configuration.

For the next thing, I need a fresh report with XYLO   ( FRST64).

Run report with XYLO

Right-click on XYLO  and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

_Windows  10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.


image.png.1ca672d5c211ac4d1beda37904415449.png



The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply. 

Link to post
Share on other sites

added note:  I now see that you had attached the Malwarebytes run report from the 22nd NOV  10:40 PM

I see that it did not remove at that time due to 

No Action By User

This is just info for now.  Later on, I will guide you to a new run.   There is still a few items to remove, using Malwarebytes for Windows.

Link to post
Share on other sites

Hi.  Thanks.  You do not need to use the  @

I do get all replies to this thread automatically.

The Malwarebytes for Windows version is needs to be updated to the very latest Component.  Lets have you get updated to the very latest.

All program upgrades are at no charge.

Start Malwarebytes. Click Settings ( gear ) icon. 

Now, click the tab marked GENERAL.   Look for the button marked "Check for Updates" and click it.  Be sure to follow all prompts.  Lets be sure it is up-to-date.

That will hopefully insure that the program has the very latest Component Update.

[    2    ]

 

In Malwarebytes , we want to do a special scan.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈
Click it to get it ON  if it does not show a blue-color

.

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
 

Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg

 

 

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg
 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

We will do more later.

Link to post
Share on other sites

Thanks.  Now, one quick additional custom fix with XYLO.

First, delete the copy on your folder of the prior FIXLIST.txt

I have a new one to be Saved in the same folder as where you have XYLO.   This will be a very quick run.

This custom script is for  Xeph  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the XYLO   ( FRST64)   tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the   folder   C:\Users\Xeph


Start the Windows Explorer and then, to the C:\Users\Xeph  folder.


RIGHT click on  XYLO   (FRST64 )     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Link to post
Share on other sites

Same as before.  

As stated above, I have two harddrives.  My HDD (F:) and SDD (C:).  I have no problems with my SDD, I can make any changes to it as normal.  However, whatever change I try to do in my (F:), whether its saving something to download folder, renaming a file, creating a folder, etc. it asks for administrator permission.  Basically, after deleting R@1N, it shows as if I'm no longer the owner of any of the folders in (F:).  I tried forced changing the ownership but it requires me to remove "read only" from properties for it to be successful...but I can't do that cause I need administrator permission.  It's a cycle.  

Link to post
Share on other sites

With care in doing it, you can activate the account 'Administrator' on Windows  ( which is normally disabled by design) .   Then immediately change its password to one of your own.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
 

To activate the inactive Administrator account, run the command

net user administrator /active:yes


If you want to enable the guest account as well run the command net user guest /active:yes
For Password protect:
Type

net user administrator *

and hit enter.
You will get a password prompt. Type the desired password and confirm the same.

Once that is done, you can login with Administrator into Windows and do what you need.

.

What you describe is that you need the account Xeph  to take ownership of some folders on F.

How to take ownership of a folder


  1. To take ownership of a folder, follow these steps:
  2. Right-click the folder that you want to take ownership of, and then click Properties.
  3. Click the Security tab, and then click OK on the Security message (if one appears).
  4. Click Advanced, and then click the Owner tab.
  5. In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.
  6. Click OK, and then click Yes when you receive the following message:
    You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?
     
    All permissions will be replaced if you press Yes.

    Note folder name is the name of the folder that you want to take ownership of.
  7. Click OK, and then reapply the permissions and security settings that you want for the folder and its contents.

 

Link to post
Share on other sites

It should be an administrator account but for some reason that problem started happening after removing R@1N.  Maybe changing the authenticator caused the problem?  Anyway I'm gonna try your solution now and, hopefully, everything will be back to normal.  I'll write back as soon as I'm done.  Thanks a lot for replying constantly, it's very appreciated.

Link to post
Share on other sites

Sadly, no change could be done, even with the administrator account set up.  Here's a few screenshots that might help.  Weirdly enough, most owners have full access to F: , yet I still can't do anything to it.  I also tried deleting the last user who had limited access but I was denied.  This is so weird... 

Owner denied.png

Owners.png

CreatingFolder.png

Link to post
Share on other sites

IT WORKED...Partially?  

Went into safe mode and I was able to change some of the settings (like Read only setting) and was able to change ownership from most of the items.  However, it said some content ownership couldnt be changed due to being unable to enumerate them, then said "access denied".  Still, its better than it was before.  I can now use my downloads folder again, create folders, rename, etc.  Thanks for your help, both of you.  If I run into anymore trouble in the next 24 hours, I'll post again.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.