Jump to content

Msascuil.exe in startup

Adori

By Adori
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Adori

Adori

Posted
Posted

Hi,

I recently saw msascuil.exe in my startup, but the "open file location" is greyed and I can't access it. It also sometimes disappears then reappears again.

Now I'm just suspicous on whether or not it's legit or malware. I can't find it in "C:\Program Files\Windows Defender" either, which is where it's supposed to be. I also checked the x86 folder.

I tried running Malwarebytes but it detects nothing.

Hoping to get some help to clear this up.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello.   Thank you for the reports.  The first thing I would like you to do is this because your system is set for Norwegian language.  And I need for the tools of FRST to report in English   ( my native language) just so I can get a best description from FRST.

Go to the Downloads folder.  Look for FRST64.ee.   Use your mouse and do a RIGHT-click on FRST64.exe  and select  

RENAME

and get it renamed to  

FRSTENGLISH.exe

Let me know after that is completed.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

This is just a attempt to help out with the bogus "windowsdefender" entry.   Before you start,  be sure you have renamed the FRST like my prior post. 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run.

.

This custom script is for  Adori  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTRNGLISH  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

To your last post, please do not do anything on your own.   We can run some other scans to check this system further.

Thanks for the Fixlog report file.  The custom script run is very good.  The Microsoft Windows 10 Windows Defender antivirus service is running properly.

The Windows System File Checker reported no corruption as far as the operating system files.

Now, we can start doing some specific scans.  Please just follow my guidance.

I want to be sure that your Windows 10 is able to do a  new scan with the Windows 10 Windows Defender antivirus.   Just do a regular Quick scan with Windows Defender.
Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

 tap Enter-key  so that command line gets done.   

and then, Copy & Paste thise next command 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

and tap Enter-key to get that scan started.

Wait for the final result of the scan.  Then just let it run, however long it takes.
Make a note of the final display results.
 

  • Thanks 1
Link to post
Share on other sites
Adori

Adori

Posted
  • Author
Posted

Hi,

When I ran:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

I got:
"ERROR: Signature Update failed with hr=80070057
CmdTool: Failed with hr = 0x80070057. Check C:\Users\x\AppData\Local\Temp\MpCmdRun.log for more information"

When I ran:

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1"

it scanned, finished and found no threats.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

It's good to know that the scan itself by Windows Defender found no threats.   Let's have you do a different scan with a different tool.

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.

  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello.   That is good.  Let's see if you could do a new report run using the FRST64 on the Downloads folder.  I'll review the reports to see what is set to run.

Right-click on FRST64.exe     and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 

_Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

 

image.png.5d47975010636d1d032768cefa8d6625.png


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you for the new FRST reports.  Take a minute, look for the file I had you download named  "esetonlinescanner.exe"   & Delete it.   We no longer need it.

Please find the prior copy ( file) named Fixlist.txt  on the Downloads folder and Delete it.

I have a new custom script for you.  I believe I have spotted the "no name" program that you had spotted before thru Task Manager.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

The system will be rebooted after the script has run..

This custom script is for  Adori  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTRNGLISH  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

Fixlist.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you for the log report.  Just please hold on with me here.  I am going to have you do some additional checks.

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64

  •  
  • Save the file first,
  • Close any running programs that you started on your own ( if any).
  • Please disconnect any USB or external drives from the computer before you run this scan!

Double-click  RogueKillerx64.exe to run the program.

Follow the prompts. If a browser window opens, close the window.

In the HOME tab, click Scan button

Next, on the Quick scan pane, click om the Start button to proceed.

.

Upon completion, a browser window may open. Close this window.

 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.

Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.

Please attach the file in your next reply.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for that report from RogueKiller.  

We can run a couple of report sets and get iother additional  nformation about the  current status  Windows.

This tool will run in Windows , even if you have to do it through an elevated command prompt.

 

1: Please download & Save DDS from this link  and save it to your desktop:

 Don't click any flashing ads  ( if any show up).   The download will begin on its own thru your browser.

 

2: Before running DDS, please disable any security software (excluding Malwarebytes ). If you are unsure of how to disable your security software, please skip this step and continue without doing so.

 3: RIGHT-click dds.com and select OPEN.  (If prompted,  reply YES and allow the tool to run.)

Next click the Start button.

 

This scan will produce 2 logs, DDS.txt and Attach.txt, and save them to your desktop.

When the report has finished, the 2 report files will show in your default text application.

Just Close those 2 windows.

 

4: Please attach the two logs created to your next reply.   DDS.txt and Attach.txt

 [       2       ]

This next diagnostic will shed some lights about the Windows Update service state.

Download   Farbar's Service Scanner utility from this link

 and Save to your Desktop.

 

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

 

If your firewall then puts out a prompt, again, allow it to run.

 

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Other services

 

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Attach FSS.txt into your reply.

 

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

Thank you for the reports.  I do not see malware present.  The reports do show that the Malwarebytes for Windows real-time protections are ON & running.

The report from FSS shows Windows services are in good stead.

As long as neither Malwarebytes or MS Windows Defender are reporting a actual real active threat, then we can wrap up this case.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The "block" message is not unexpected.  That is why I relayed the notice to ignore it.  That is a false positive.  It is only based on a "reputation & frequency" score which is known to have false positives !!   You did fine.

The check-tool just flagged one app   that needs updating

Microsoft Teams v.1.3.00.21759    Warning!      Download Update

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

You are very welcome !

To remove the FRST64  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Delete Roguekillerx64.exe

Delete the downloaded file    "esetonlinescanner.exe"

Delete Securitycheck.exe

Delete FSS.exe

Delete DDS

Any other download file I had you save, you may delete.

All the best to you. Stay safe.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept