Jump to content

Potential remanence of malware and issues with windows defender issues..


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello.

A few months ago (about July 2020) I had a very disturbing malware infection with very pesky consequences.

I had posted about this instruction on another forum and I do believe that I am currently malware free however the damage done from the malware MAY have some traces even to this day (which I want to make sure is not the case).

First let me recollect what happened during that time:

I was running my Avast Antivirus software (free edition) and one day the malware had penetrated my system and managed to remove the Avast main utility program ( effectively disabling my antivirus) AND also  corrupted my windows security notifications when they were just showing a blank without any information such as virus thread protection / firewall protection and any other kind of warnings..

The windows security was completely EMPTY. I had noticed this malware when it began hogging up my cpu and my temperatures went up to mid 80's celcius .Immediately I realised something was wrong and realised I need to take swift action to remove this from my system. I first noticed a particular system process was hogging up my cpu and I did a jotti filescan out of curiousity and the filescan revealed Bitcoinminer trojan.

I then downloaded Malwarebytes (at the time only free edition) and did a full scan of my system. It found (at the time) a whole abundance of threats pertaining to Trojan.Bitcoinminer .

I removed the malware found and at the time I went to the security forum and posted my issue here https://www.bleepingcomputer.com/forums/t/725643/please-help-recurrent-infections/#entry5027893 .

I was told that the farbar scans I did suggested that there was no more malware .

I then did another scan by installing another antivirus software ( I think AVG) *FULL system scan* and all was good.

I then decided to purchase malwarebytes premium because of malwarebytes effectiveness in helping me remove this disgusting thread. 

Further scans showed no malware. (did full system scan twice).

HOWEVER there were some persistent consequences of this infection:

The infection corrupted my windows security notifications as I mentioned it was blank ..I didnt pay attention to this until last week or so when I decided to do a windows upgrade (keeping my system files) as suggested in a microsoft security forum. That DID solve the issue.

HOWEVER:

When I was trying to turn on windows defender I noticed that instantaneously turned off..Upon googling a few things I tried Microsoft Malicious Software Removal Tool (https://www.microsoft.com/en-us/download/details.aspx?id=9905 ) and it found "windows defender tampering" but that was the only thing it found. After it removed the threat I was able to activate windows defender.

I did a scan with windows defender (full system scan which took 15+min) and nothing was found , scanned again  with malwarebytes premium and also nothing was found.

The issue now is : every time I turn on *periodic threat scan* on windows defender it turns off every time I reboot.

Another somewhat suspicious nuance is that when I did a scan with ccleaner it always detects "missing startup software" in the windows defender directory of MSASCUIL.exe .

What is causing this issue and how can I prevent periodic scans to be disabled? Is the issue a symptom of traces of the malware that perhaps were left behind on my system?

Please help.

 

 

Link to post
Share on other sites

Hello.  @mgcnt    :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

I can help you here in case there is a actual malware infection.  I determine that with the help of known and trusted security applications.

Please know that the Windows Defender antivirus is turned off whenever you install another antivirus like Avast, or Norton, or McAfee, or any other brand that is not Microsoft.  So if the pc now has Avast, then Windows Defender is set to off.

As to the message 

Quote

"windows defender tampering" 

That is likely because it is set to off as the anti-spyware app.    ( again, expected if you have a 3rd party antivirus)

as to the notice about MSASCUIL.exe . we have to know which version & build of Windows 10 is on this machine;  pus, exactly which security software is installed & running.  As part of that, we do have to see full reports from Farbar FRST.   ( we will get that from the tool below, which will also relay status of Malwarebytes.)

IF you are currently getting help on this now, elsewhere, Stop and let me know that.

.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
Please only just attach   all report files, etc  that I ask for as we go along.  I

If you will be away for more than 4 consecutive days,  do try to let me know ahead of time, as much as possible.
 

I would appreciate  getting  additional / fuller  important details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.80.848.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one. 

Sincerely,

Maurice

Link to post
Share on other sites

Hello , firstly I want to clarify that after the situation with the infection , I did install Avast then just to do a profilactic scan but have since (as I mentioned in the post) switched to Malwarebytes Premium for my protection and do not have any other security suite.

I am currently not seeking help on this issue on other forums.

Regarding the instruction to create the file , I have successfully ran Malwarebytes Support Tool as you requested and it created the file on my desktop but when I try to upload it through this forum posting window the file isn't detected (when I click choose files , I do not see the zipped file in the list of files.) I do however see the file created on my desktop...Is there any other means to upload the file ?

Thanks

Link to post
Share on other sites

OKAY , upon thinking the issue through , I clicked properties on the file and copied its directory (when I just clicked Desktop the file didn't show up for whatever reason , goodness knows what reason) but upon typing the C:\Users\Public\Desktop directory of the file I am now able to upload it. Here it is.

mbst-grab-results.zip

Link to post
Share on other sites

I am glad to see & have the zip file report. Sorry for the trouble you ran into. There are leftover traces of Avast that need to be removed.  And we may later need to run the Avast cleanup tool later.  There will be more steps later on.  What follows is a first step.

There is also a trace mention of ZoneAlarm firewall.  Be sure to know, that at any time that you switch from one antivirus to another brand, that often one needs to follow up and run a cleanup removal tool to insure no traces are left behind.  Most AV makers have specific cleanup tools for that purpose.

The system will be rebooted after the script has run.

This custom script is for  MGCNT only / for this machine only.

NOTE-1: This fix will also run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

This custom script ought to square away the Windows Microsoft Defender service.  It will also attempt to run a Quick scan of Windows Defender.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The  custom Fix script is going to be used by the FRSTENGLISH.exe   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   C:\Users\bartl\Downloads


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Sincerely.

 

Fixlist.txt

Link to post
Share on other sites

Hello I have followed your instructions.

One thing I want to mention is there was a warning "the file is dangerous so chrome has blocked it" warning .

I manually clicked to keep the file. What was the cause of this warning if you mind me asking?

I have clicked the Fix button on farbar and had rebooted the system after the fix processed as you've instructed. Here is the fixlog file:

Fixlog.txt

Link to post
Share on other sites

I cannot say as to why Chrome would flag a text file ( if what you mean is that it flagged the Fixlist.txt ).  If so, that may be from one of the extensions on Chrome ( possibly ).   OR perhaps, it may be a occasional quirk I encounter from time to time myself.  That is why I use the EDGE browser instead.

At times, I guess it may be a glitch ( quirk) triggered by Amazon AWS cloud service.

Thanks for the Fixlog.txt.   I am happy to see that the Windows System File Checker found no issue.

 want to be sure that your Windows 10 is able to do a scan with the Windows 10 Windows Defender antivirus.   Just do a Quick scan with Windows Defender.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -SignatureUpdate

and tap Enter-key.   This should do a definitions update run for Microsoft Windows Defender & should be very quick.

NEXT

On the command prompt-windows,  Copy & Paste this command

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

and press Enter-key.   This will begin a QUICK scan mode run of Windows Defender antivirus.

Have lots of patience.  Jot down and then let me know the bottom line result of this scan.

 

Edited by Maurice Naggar
corrected typos
Link to post
Share on other sites

Hello , yes indeed I meant the fixlist.txt file was blocked on the chrome.

I Do not see commander prompt (admin) in my list of options upon pressing Windows+x.

I could just manually open command prompt from the start menu and run it as administrator , is that okay?

options.jpg

Link to post
Share on other sites

Okay I just checked the little box in the preferences to show command prompt when pressing windows+x.

I ran the command as administrator.

Unfortunately I ran into a problem running the windows defender scan.

 

problem.jpg

Link to post
Share on other sites

I regret to read of this.   Lets just gather 2 sets of other reports so I can review.

We can run a couple of report sets and get information about the  current status  Windows.

This tool will run in Windows , even if you have to do it through an elevated command prompt.

 

1: Please download & Save DDS from this link  and save it to your desktop:

 

Don't click any flashing ads  ( if any show up).   The download will begin on its own thru your browser.

 

2: Before running DDS, please disable any security software (excluding Malwarebytes ). If you are unsure of how to disable your security software, please skip this step and continue without doing so.

 

3: RIGHT-click dds.com and select OPEN.  (If prompted,  reply YES and allow the tool to run.)

Next click the Start button.

 

This scan will produce 2 logs, DDS.txt and Attach.txt, and save them to your desktop.

When the report has finished, the 2 report files will show in your default text application.

Just Close those 2 windows.

 

4: Please attach the two logs created to your next reply.   DDS.txt and Attach.txt

 .

This next diagnostic will shed some lights about the Windows Update service state.

Download   Farbar's Service Scanner utility from this link

 and Save to your Desktop.

 

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

 

If your firewall then puts out a prompt, again, allow it to run.

 

Once FSS is on-screen, be sure the following items are checkmarked:

Internet Services

Windows Firewall

System Restore

Security Center/Action Center

Windows Update

Windows Defender

Other services

 

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.

Attach FSS.txt into your reply.

 

Link to post
Share on other sites

Thank you.   We will need to do more steps.  This one is just one.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please select the " Quick " scan option

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites
  • Solution

Thanks.  That is as expected.  I just needed the log file report.  Windows Defender is now set as the anti-spyware.

The Windows Defender service itself has a start-type of on-demand but needs to be set to Auto start.  There is more to be done.

On this next step, just only take a few seconds  and then proceed with all the rest.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

Click the Security Tab. Scroll down to 

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

Close Malwarebytes when done.

[     2     ]

This next custom run should execute very quickly and then Restart the system.

At this point, delete the previous Fixlist.txt   on the Downloads folder.

Next

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

The  custom Fix script is going to be used by the FRSTENGLISH.exe   tool   which you have on your Downloads folder.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   C:\Users\bartl\Downloads


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

 

After all this is done, you should be able to do a manual scan with Windows Defender using the normal Windows GUI interface thru Settings.

 

You can do a manual Check for Update for Windows Defender by using the Windows Settings menu.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section:  Click on the grey button Open Windows Security

.

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status  and that  protection is on.

 

 On the next display,  look at all the options.   Look down the list and see "Check for Updates" .

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.  ( You can do Quick, Full, or Custom).

Sincerely.

Fixlist.txt

Link to post
Share on other sites

Hello. Yes indeed it seems like I can access windows defender now from my windows security interface.

The issue before was that it turned off automatically each time I rebooted (the periodic scanning) .

Windows security is offering to turn on windows defender(from the security notifications)..I assume that I should not turn it on because it may conflict with the malwarebytes live protection?

Here are the logs of the fix.

Fixlog.txt

Link to post
Share on other sites

Hello I just did a scan with windows defender and it picked up  Trojan.W32Wacatac ...

I think this was a false positive from the software you've asked me to install . Should I just keep the file and we can proceed to further steps?

wacatac.png

Link to post
Share on other sites

Hello.  1 )  The flagging of FSS.exe is just utterly wrong.  It is not a threat.

2)  The real-time Premium protections of Malwarebytes for Windows will continue to work normally.

3 )     

Quote

Windows security is offering to turn on windows defender(from the security notifications)..

You can select as you wish about that.  It will not interfere nor impact Malwarebytes for Windows.

.

I would like to do a visual check thru a special Command prompt.   

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe


and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.

At the Command prompt either type or copy/paste the following command:
 

sc queryex windefend

press Enter-key to run.  Can you just get a screen-capture-image of that readout.

Thank you.

Link to post
Share on other sites

Excellent.  The Windows Defender service IS running.

At this point, let get a different readout to see about out of date security apps   ( if any )  & key apps that have security implications.

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.
  • This tool is safe.   Smartscreen is overly sensitive.
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
Link to post
Share on other sites

Thank you for that report.   There is only just one app that needs updating   ( so it has the latest )

Zoom v.5.1 Warning! Download Update

Otherwise, all else is shown to be up-to-date.   And the Windows Defender services are in good state  ( and active).  as is Malwarebytes for Windows.

Malwarebytes for Windows and Microsoft Defender do go along together well.

Let me know if you need anything else, at this point.

Since you have the latest, newest EDGE browser, it can support to have the Malwarebytes Browser Guard.   That same Guard can also be added to the Chrome browser.

So these are my latest tips, to keep those two web browsers more secure.

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

[     2     ]

Now for the EDGE browser

Open this link in your EDGE   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

Let me know if you need anything else.

Sincerely.

Link to post
Share on other sites

Thanks Maurice for your help .

I don't think I would require any assistance but:

Should I keep the settings *Always register Malwarebytes with windows security* disabled?

And should the command scan of windows defender work now ?

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.