Windows Security finds exploits and other "threats" (Malwarebytes does not)

[Pergamentina]

...and neither does Sophos Home.

Hi Malwarebytes geniuses 🤓,

Could you please help me figure out this issue? I have been trying to fix this for the past few days and none of the methods are working. I will greatly appreciate any and all help you can provide. Thank you. 💚

mb-support-1.8.0.848.exe has been executed and mbst-grab-results.zip file attached. Hopefully this helps. Please do not hesitate to let me know if additional details are required. Thanks again.

Details

- There are several threats detected through Windows Security and when I ran MSERT.exe (Microsoft Safety Scanner), it shows over 19K "infected files" but is unable to finish the scan for some reason. I ran it all night two days in a row with no success.

- When scanning Malwarebytes, it does not detect anything.

- When scanning Sophos Home (Sophos Home Website), it does not detect anything.

- When trying to remove the "threats" through Windows Security, they seem to show up again after restart. Windows Security also gets hung on trying to remove the "threats" and is unable to finish the process for some reason.

 

mbst-grab-results.zip

[Maurice Naggar]

Hello     

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

Thanks for the support-tool report file. 

Lets begin with the following scan.  We will do more later.  

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

[Pergamentina]

On 12/10/2020 at 8:09 AM, Maurice Naggar said:

Let me know what first name you prefer to go by.

Thank you very much for your support, Maurice! Perg or Pergamentina is fine. 😄

On 12/10/2020 at 8:09 AM, Maurice Naggar said:

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

I am currently at this stage. Screenshot in "spoiler" below.

Spoiler

 

On 12/10/2020 at 8:09 AM, Maurice Naggar said:

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

I will let you know once I get to those steps!

[Pergamentina]

On 12/10/2020 at 8:09 AM, Maurice Naggar said:

Click The blue “Save scan log” to save the log.

The scanning results did not find anything. Please see attached file. Ready for next command. 😉

ESET_20201211_0218.txt

[Maurice Naggar]

That is an excellent result.   You can do a special scan with the Windows Microsoft Defender Antivirus.   Before you do that, before pressing the scan button, you want to insure that all web browsers are Closed.   Have plenty of patience.   You want to let the program do its thing.  and so, try to not use the system during the scan.  No web surfing or the likes.  Nor games.

Go to the Windows taskbar.
Look for the search box
type in

virus & threat protection

and click on it.

On the next screen displayed, look for & click on the blue 

scan options

then select the 

Full Scan radio button

then scroll down and click on the button 

Scan now

Have lots of patience.   Monitor   and then see what the result is.  If at all possible, have it Quarantine or remove what it finds, if anything.

[Pergamentina]

Alright, thank you for your assistance and patience. Unfortunately, Windows Defender could not remove anything. The same items are still there and there are more popping up. I am unable to access any webpages or search on the internet through my computer with the issues.

Any additional steps or help is much appreciated. Thank you! I will keep track of this forum via phone (which is how I posted this 😓).

 

[Pergamentina]

Here are the screenshots in timely order. Hope the info helps. 

http://imgur.com/a/mih6w4E

 

[Maurice Naggar]

I actually prefer to have actual report-files rather that screen grabs.  We have to see the actual full path to the items tagged & the full file-names of those files.

Lets do something first.  Set the Windows File Explorer to show all files, all folders, all hidden.

What follows is a first step to have Windows 10 show all files and folder. Do not let this spook you out.

If on Windows 10,  There is a how-to at Tenforums. Use either option one or two or three

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

[      2      ]

See about finding & then attaching one or both of these files   ( these are logs from the Windows 10 Microsoft Windows Defender Antivirus)

C:\windows\temp\mpcmdrun.log

and this next file  ( if found )

C:\Users\DS\AppData\Local\Temp\MpCmdRun.log

Attach those files if possible.    and keep going and do what follows as well.

[    3    ]

Unless I am mistaken,  what Windows Defender has been flagging are some files on your drive P  at this folder   P:\Personal\Learning

and by the way, your default browser seems to be Firefox.  Can you try just using EDGE browser for the duration of this case.

.

To delete ( clear ) the cache files & history for each web browser, do this on each browser  ( one at a time):

while still in the web browser, press and hold SHIFT + CTRL + DELete keys to start the process to delete all browser cache & history.

.

Next do one new scan for viruses:     TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

 

[Pergamentina]

44 minutes ago, Maurice Naggar said:

Attach those files if possible. 

Unfortunately, I cannot attach them since I cannot access the internet anymore through any browser (IE, Edge, Firefox, Google Chrome).

 

46 minutes ago, Maurice Naggar said:

Unless I am mistaken,  what Windows Defender has been flagging are some files on your drive P  at this folder   P:\Personal\Learning

and by the way, your default browser seems to be Firefox.  Can you try just using EDGE browser for the duration of this case.

That's right. It is a file within that directory. I tried deleting it in the past (before reaching out on this forum) and it would not work - it kept trying to load and delete it but could not detect the size and saying 0 KB (even though it's well over 3GB; it's an ISO file that I installed for school before - Kali Linux).

I cannot access internet via Edge neither. 

Pinging works (DNS is fine), Proxy is not turned on, pinging google.ca works as well.

53 minutes ago, Maurice Naggar said:

To delete ( clear ) the cache files & history for each web browser, do this on each browser  ( one at a time):

while still in the web browser, press and hold SHIFT + CTRL + DELete keys to start the process to delete all browser cache & history.

I am currently on this step and will let you know the status once it completes.

[Maurice Naggar]

You should do one new Windows RESTART   just to be sure.   and then, on the Start menu, click Settings to get into the Windows Settings.

and then click on "Network and Internet"   and be very sure that there is a internet connection.

You should also click on the line "Show available networks"   and look to see what it reports about your home-network connection.

You may be having some issue if you are only using WIFI.

Try if possible, to get a direct connection via a cable from your computer to your internet-connection-rouuter.

Edited December 13, 2020 by Maurice Naggar

[Pergamentina]

7 minutes ago, Maurice Naggar said:

You should do one new Windows RESTART   just to be sure.   and then, on the Start menu, click Settings to get into the Windows Settings.

and then click on "Network and Internet"   and be very sure that there is a internet connection.

You should also click on the line "Show available networks"   and look to see what it reports about your home-network connection.

You may be having some issue if you are only using WIFI.

Try if possible, to get a direct connection via a cable from your computer to your internet-connection-rouuter.

I will do that ASAP. I have a class ATM on my computer through Teams (so internet is working) but I should have a break soon and I'll do that then. I am also connected through cable (not WiFi) - my computer ("tower") does not have WiFi capability (only cable).

[Maurice Naggar]

How goes it today?

[Pergamentina]

7 hours ago, Maurice Naggar said:

How goes it today?

Alright, Maurice! We fixed it (I think... see below 😸). Here are the steps I took to fix the problem (along with your incredible guidance 💚).

My class instructors are cybersecurity people, so they were able to help me as well. We found out that by turning off web protection, malware protection, ransomware protection, and exploit protection on Malwarebytes Premium Trial 4.3.0, I was able to connect to the internet through the browser again. However, those yucky files were not removed still (of course) and something did seem to be affecting my browsing situation (I am guessing Malwarebytes was trying to battle it but through that, I was unable to access the internet as well - it was just loading forever). So, I was given some feedback to complete similar steps below.

 

1. Downloaded Kaspersky Total Security

2. Disconnected from Internet

3. Booted up into Safe Mode (F4 from the "Advanced settings area") - had to follow a guide for this online, but was not hard to find

4. Ran Kaspersky Total Security (full scan) - this is without internet in safe mode [this took around 1.5 hours]

5. Kaspersky found over 1K infected files and issues in safe mode

6. Deleted the files and issues using Kaspersky in safe mode [this took around 2 hours]

7. Ran Windows Security Defender (full scan) - this is without internet in safe mode [this took around 1.5 hours]

8. Windows Security Defender found one additional file in safe mode

9. Windows Security Defender was able to delete the additional file in safe mode [this took around 15 mins]

10. Rebooted computer and ran Kaspersky Total Security (full scan) as well as Windows Security Defender (full scan) afterwards - this is with internet and in "normal" mode (i.e. desktop/with features)

11. Kaspersky and Windows Security Defender did not find anything [this took around 1.5+1.5 = 3 hours]

12. Problem solved?

 

Please let me know what you think. I know I derailed from some of your suggestions but rebooting the computer did not work for me (normally) unfortunately. Do you think we still need to continue checking or do you think the computer is safe now? I was unable to find the file that was causing the issues anymore and it was actually deleted by Kaspersky (or so it seems); as mentioned before, I could not delete it myself as it kept saying that it was "calculating" the size and that there were 0 bytes.

I really appreciate your feedback, help, and thoughts. Thanks, Maurice.

 

PS: I was keeping track of time to see if the scanning speed would improve but it seems like it always takes long for my computer; I guess I just have a lot of files.

[Pergamentina]

14 minutes ago, Pergamentina said:

9. Windows Security Defender was able to delete the additional file in safe mode [this took around 15 mins]

One other thing I forgot to mention is that I did end up clearing cache files in all the browsers within safe mode. It would NOT let me delete them outside of safe mode... something must have been trying to use my browsers for other purposes.

[Pergamentina]

On 12/13/2020 at 8:59 AM, Maurice Naggar said:

See about finding & then attaching one or both of these files   ( these are logs from the Windows 10 Microsoft Windows Defender Antivirus)

C:\windows\temp\mpcmdrun.log

Here's the file since now I am able to attach it. Let me know if you see anything odd.

MpCmdRun.log

[Maurice Naggar]

Thanks for the log file.  Looking at the past few days, from December 11  to the 14th,  there have been no threats reported or found.

As to Kaspersky Total Security, it is possible it is causing issues for the Malwarebytes Anti-Malware program.   If Kaspersky is a paid for license,  ( e.g.  a ongoing resident application, you want to be very very sure it is fully up-to-date.   There have been several cases over the past few years where Kaspersky had made changes in their software that cascaded into repercussions to the real-time protections of Malwarebytes.

So, as I say, insure that Kaspersky is fully updated with the latest version releases & normal program patch releases,

Do you have a Premium license for the Malwarebytes ?   or are you just using it as a on-demand scanner?

[Maurice Naggar]

Further additional note:  As of the time that you had submitted the last mbst-grab file from the Malwarebytes support tool, the resident installed antivirus was Sophos Home.  What I must know is:  Has this pc been switched to Kaspersky Total Security ?  if so, did you first uninstall Sophos ?

and what version number exactly of Kaspersky Total Security ?    and is that the one you will stick with ?

Switching from one antivirus to another needs to be planned out, in addition to which often a cleanup utility from the company of the preceding vendor needs to be run.

I would appreciate getting clarifications, detail about this,  and also this following report.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

• Download SecurityCheck by glax24 from here 
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

While this case is on-going, please do not switch antivirus applications without first checking with me.   If you have questions, please ask first.

Thank you.

[Pergamentina]

On 12/14/2020 at 6:37 PM, Maurice Naggar said:

Do you have a Premium license for the Malwarebytes ?   or are you just using it as a on-demand scanner?

For now, I am using Malwarebytes as an on-demand scanner. I will also be using Kaspersky as an on-demand scanner. Windows Defender is the only one enabled to do protections in real-time.

 

On 12/15/2020 at 8:37 AM, Maurice Naggar said:

Has this pc been switched to Kaspersky Total Security ?  if so, did you first uninstall Sophos ?

I only installed Kaspersky to try a different anti-virus to see if it can detect the issue. I did uninstall Sophos first, yes.

On 12/13/2020 at 8:59 AM, Maurice Naggar said:

TrendMicro HouseCall scan

I scanned TrendMicro a little while after Kaspersky found the issues and I deleted the files through it. TrendMicro did not find anything when I did a "Full" scan.

On 12/15/2020 at 8:37 AM, Maurice Naggar said:

and what version number exactly of Kaspersky Total Security ?    and is that the one you will stick with ?

I updated it today (please see screenshot in the "spoiler" section below).

Spoiler

 

On 12/15/2020 at 8:37 AM, Maurice Naggar said:

• Download SecurityCheck by glax24 from here 
• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.
• This tool is safe.   Smartscreen is overly sensitive.
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Please see file attached. The grammar/spelling could be improved on the tool (makes it seem more malicious, heh).

For example:

 

On 12/15/2020 at 8:37 AM, Maurice Naggar said:

While this case is on-going, please do not switch antivirus applications without first checking with me.   If you have questions, please ask first.

Yes, sir. My apologies for earlier - it was just getting quite frustrating/annoying because I could not go to the Internet with my computer and also my computer was kinda sluggish, so I wanted to get rid of things faster; hence, asked my cybersecurity teachers helped me out.

 

Please let me know if the SecurityCheck.txt looks alright and if there are further actions to be taken. Thank you so much, Maurice. I appreciate your help!

SecurityCheck.txt

[Maurice Naggar]

There is a important factor that you need to always, always keep in mind.  That if you are trying more than 1 antivirus & you uninstall one, you shoud be sure to run the cleanup-removal tool for it.  From each appropriate AV maker that you tried.

Going from one to another to another does leave behind traces of the old antivirus, just because antivirus apps typically do not remove all traces.

.

There are 3 caution notes from the report.   Thse applications need to be updates to the latest releases.

Zoom v.5.1        Warning!   Download Update
Python 3.8.2 (32-bit) v.3.8.2150.0     Warning!   Download Update
Cisco Webex Meetings v.40.2.12.18    Warning!     Download Update

.

Since you only use Malwarebytes as a on-demand scanner, then make this one adjustment.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close Malwarebytes when done.

After all that,  your system should be all good to go.

[Pergamentina]

On 12/19/2020 at 12:56 PM, Maurice Naggar said:

cleanup-removal tool

Would the Disk Cleanup tool on Windows be sufficient (screenshot in spoiler below)?

Spoiler

 

On 12/19/2020 at 12:56 PM, Maurice Naggar said:

Since you only use Malwarebytes as a on-demand scanner, then make this one adjustment.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

Close Malwarebytes when done.

I completed the steps outlined. 🙂

On 12/19/2020 at 12:56 PM, Maurice Naggar said:

There are 3 caution notes from the report.   Thse applications need to be updates to the latest releases.

Zoom v.5.1        Warning!   Download Update
Python 3.8.2 (32-bit) v.3.8.2150.0     Warning!   Download Update
Cisco Webex Meetings v.40.2.12.18    Warning!     Download Update

I will run the updates today; thank you!

On 12/19/2020 at 12:56 PM, Maurice Naggar said:

After all that,  your system should be all good to go.

So I do not need to worry about the things that were on my computer before? It should be safe now? 😏

[Pergamentina]

 

On 12/19/2020 at 12:56 PM, Maurice Naggar said:

Zoom v.5.1        Warning!   Download Update
Python 3.8.2 (32-bit) v.3.8.2150.0     Warning!   Download Update
Cisco Webex Meetings v.40.2.12.18    Warning!     Download Update

Installed all the updates. Thanks again!

Spoiler

Spoiler

Spoiler

 

[Maurice Naggar]

Hello.  I take it that you did manage to get the apps updated to the latest.  That's obviously a good thing.

The "CLEANMGR" built into Windows is a good general cleanup applet to delete temporary files and regain space.

https://www.tenforums.com/tutorials/3012-open-use-disk-cleanup-windows-10-a.html

Having reached this point, I take it that you are ready to wrap up this case.

[Pergamentina]

On 12/21/2020 at 10:50 AM, Maurice Naggar said:

Hello.  I take it that you did manage to get the apps updated to the latest.  That's obviously a good thing.

The "CLEANMGR" built into Windows is a good general cleanup applet to delete temporary files and regain space.

https://www.tenforums.com/tutorials/3012-open-use-disk-cleanup-windows-10-a.html

Having reached this point, I take it that you are ready to wrap up this case.

Sounds wonderful! Thank you very much for your time, Maurice. I really appreciate all your efforts and help. I would mark the post made on "Posted December 14" as a Solution as well, since it helped with removing the files.

Thanks again!! 💚

[Pergamentina]

On 12/14/2020 at 4:12 PM, Pergamentina said:

3. Booted up into Safe Mode (F4 from the "Advanced settings area") - had to follow a guide for this online, but was not hard to find

This is the guide I used for this portion (I tried all the steps in that guide and it seemed to help) : https://www.pcworld.com/article/243818/how-to-remove-malware-from-your-windows-pc.html

[Maurice Naggar]

 I am very glad all is well.  The following are a few steps to cleanup on the tools I had you use.

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Delete the file downloaded from ESET  "esetonlinescanner.exe"

Delete mbst-grab-results.zip   on the Desktop

Delete mb-support-1.80.848.exe

Delete securitycheck.exe

Any other download file I had you download, you may delete.

 

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

I am very happy to have helped.

Stay safe.  I wish you all the best.   😎

Sincerely,