Jump to content

Unable to remove 2 threats through quarantine and restarting


Go to solution Solved by Maurice Naggar,

Recommended Posts

I've been trying to upgrade my OS to windows 10 from 7 and it hasn't been working so I did some digging and found these two viruses I thought were removed have been on my computer. I doubt removing them will help with my OS upgrade but I can't imagine it would be a good idea to keep them around when I do get it working. From what I've seen the process should go, run threat scan, quarantine restart, run adwclean repair and restart again then run FRST and export the logs and post them here. I've done these steps a couple times though I haven't done anything with the FRST part since it seems like an admin needs to assist there. To make things simpler I ran all three again with restarts in between and exported these most recent logs. Please let me know if anyone has some suggestions on what the next step is to actually remove the threats or if they can supply a fix to run.

 

AdwCleaner[C02].txtmalware bytes report.txt

Addition.txt FRST.txt

Link to post
Share on other sites

Hi,     :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Let me know what first name you prefer to go by.

 

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

Please only just attach   all report files, etc  that I ask for as we go along.

Would you please let me know just what "threats" or potential infection you suspect / and , or  are referring to ?

Link to post
Share on other sites

NOTE: The Malwarebytes for Windows currently on this machine is very very old.   Version: 3.3.1.2183

Later on I will guide you to getting it upgraded to version 4

I do see the trojans flagged by Malwarebytes from that scan report.  There is a bunch of work ahead.  This is just a first step.

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.

Please download Malwarebytes Anti-Rootkit (MBAR) from this link here

and save it to your desktop.

Doubleclick on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

Please attach the log it produces, you'll find the log in that mbar folder as MBAR-log-<date and time>***.txt . Please attach that to your next reply.
  
There will be much more to do after.

Sincerely.

 

Link to post
Share on other sites

Thanks for the report.  The Malwarebytes antirootkit tool has removed 4 trojans.  That is a very fortunate cleanup.  There is yet more to do and check.

Make real real sure you have done at least one Windows RESTART  since the cleanup needs one reboot of the system.

NEXT

For now, we can run a custom script.

The script on this post is ONLY for this machine and NO other.   This custom script is for  Jacobspiercemp     only / for this machine only.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

The system will be rebooted after the script has run.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

.

.

The  custom Fix script is going to be used by the FRST64  tool. They will both work together as a pair.

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

The tool named FRST64 .exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.   And wait for me to guide you on how to do a clean new setup of Malwarebytes for Windows.  Just do not make any changes on your own.  There is more work to do here.

 

By the way, be real sure you do not do any online shopping, or web surfing, or any game playing until I give the all clear.

Fixlist.txt

Link to post
Share on other sites

Thanks for the Fixlog.  The script run completed.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please select " FULL "  from the Scan Options.

Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites

  • Solution

The Microsoft Safety Scanner found and removed several  files.   A number of those were under the folder C:\illusion\AA2   & C:\illusion\AA2Edit

I would suggest that you do a scan with a scan tool from ESET  to just only scan the C drive.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

 

When prompted for scan type, Click on Custom scan    ( the choice on far-right side)

We want just the C drive to be scanned.

 

In the display "Select custom scan targets"  keep the top 3 lines ticked,  plus the one for the C drive   ( which should be your Windows drive)

UN-tick the other drives   ( D, E, F,   etc...)

 

Then click on the blue button "Save and continue"

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.  

 

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.  Look for it on the bottom left, in blue.

 

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

The goal here is to see if there are suspicious or actual threats on the C drive.   Attach the log with your next reply.

Link to post
Share on other sites

Good morning,  Thanks for the log-report from ESET scan.  Excellent result.

At this point, we can go about getting the latest Version 4.3 of Malwarebytes for Windows.  Since the one currently on this machine is very much out of date, we will use the Malwarebytes Support tool to remove the old version ( that is the Clean function) and following that, run the setup for the latest Malwarebytes.

Have lots of patience during all phases of the special run.  Follow the directions ( all ) in this Malwarebytes Support article

https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool

 

Next, when the new Malwarebytes version 4.3 is all setup, do a Scan using this guide

To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Have patience during the run.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

Hello. I see that the last scan found & removed 1 EXE file from the Desktop that it ID'd as a trojan.  Before we shift focus, I would like you to do one more scan for potential viruses or malware using a special tool from Microsoft. Your operating system is Windows 7, so we can do what follows.

You should try to get the Microsoft Windows Defender  Offline and run it.  It is a antivirus/malware checking tool from Microsoft.  You'll need to arrange to have it on either a USB-flash-thumb drive , or else if you have a optical drive writer, on a CD or DVD.

I am going to cite the references for it at Microsoft.

The download links are listed at the bottom of the article.  The last part of the article addresses how to execute on Windows 7 or 8.1

https://support.microsoft.com/en-us/help/17466

I would be very much interested in the results from this special scan.  Depending on its result, we could move on to addressing upgrading this OS to Windows 10.

 

Link to post
Share on other sites

I was able to set up Microsoft Windows Defender Offline using my old laptop and a CD but when I booted with it I was unable to run the scan because the windows malware and spyware definitions were out of date. It also wouldn't let me update from there because I didn't have an internet connection. I booted my PC normally and set up Microsoft Windows Defender Offline on another cd and tried again but got the same error. I can't update my windows, when I do I get error code 80092004. This was a big part of the reason I wanted to upgrade to windows 10. I'm not really sure where to go from here, I can't update my windows but I can't run the Microsoft Windows Defender Offline scan with out of date windows version. If it's just the computer that creates the cd that needs to be up to date I can ask a friend to make one for me. Any suggestions?

Link to post
Share on other sites

I suspect that you may have had better luck by having that tool on a USB-thumb-drive.   In any event, Cancel that run request.

We have previously ( that is to say, you did) completed scans with Malwarebytes for Windows, & Malwarebytes Anti-rootkit & MS Safety Scanner & ESET online.

That's sufficient enough to feel good & have enough confidence that the system is in decent malware-free state.

Let's just do one other test check.

Let's have you run the Microsoft Malicious Software Removal Tool   (  MS  MSRT ).

This tool is a limited one.  It targets some specific "common" malicious threats.  It is a tool run typically once a month when your Windows does a Windows Update check.

I would just like a one time on demand run.

Point your browser to this MS website link    https://www.microsoft.com/en-us/download/details.aspx?id=9905

Look to see it matches your language & your version of Windows in terms of 64-bit or 32-bit

Your O S  is a 64-bit.    Note you need to scroll down a bit on that webpage to see the Download section.   :D

Download and save the tool.   Then go to the folder where saved  ( should be the Downloads folder).  

Double click the tool   and allow it to Run.   It should not take more than 12 - 15 minutes.

 

 

Link to post
Share on other sites

OK.  We do not need to run it further.  I think we can now turn our focus towards attempting a upgrade to Windows 10.

Let's delete some downloads that I had you get.

Delete the msert.exe

Delete the esetonlinescanner.exe

Microsoft allows a free upgrade from Windows 7 to Windows 10.  Windows 7 itself will need to be up and running for this whole process.

If this machine is a laptop or notebook machine, be sure it is connected by normal power cord to regular wall electric-power.

The basic gist is to be able to download and SAVE the initial Upgrade-tool-file from Microsoft and then run it.

Go to this Microsoft page   https://www.microsoft.com/en-us/software-download/windows10

Look on their for the blue-color button "Update now"

Save the file that will be downloaded to your system.   Have patience and Save it first.  I suggest saving it to the DESKTOP

The name of the file is Windos10Upgrade9252.exe

You will run that file  to begin the whole upgrade process.

You can first read all about the steps involved on this help guide  https://www.bleepingcomputer.com/news/microsoft/you-can-still-upgrade-to-windows-10-for-free-heres-how/

You want to Upgrade Now

You want to keep all your files

Have lots and lots of patience during all of this.   IF and only if you see a blank or wholly-dark monitor screen, just go to your mouse or touchpad and make circle motions.   After a few seconds, that should be enough to get the monitor-display to refresh and show its stuff.

Otherwise, have lots of patience, and faith.

 

Link to post
Share on other sites

No luck unfortunately. After I run Windos10Upgrade9252.exe the process begins without issue but eventually it gets to the part where it restarts multiple times while applying the update. It always makes it to 30% without issue but there it just stops. No noise from my hard disk and it doesn't progress at all. I tried leaving it overnight for about 10 hours last night but it stayed on 30%. I had all my peripherals unplugged with the exception of my monitors. Same issue I had at the start.

Link to post
Share on other sites

Alas, I am very sorry to hear this news.  However, the failed attempt to upgrade t Windows 10 is not due to a malware.  We have run different scans with different tools before.

There should be a log or 2 from the run dated the same day you attempted that upgrade.   Please look to see if you have a file

C:\Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log

and

C:$WINDOWS.~BT\Sources\Panther\setupact.log

If found, you may place into a ZIP file & then attach that with your reply.

.

Now then, as far as the security programs currently on this system, there ought to be no current threats.

Do a new scan with Malwarebytes for Windows and let me know about the result.

 

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

So the D drive is a CD-writer or DVD-writer device ?

Make sure on any next upgrade attempt that that device-drive has no CD or DVD present.   I cant be for certain but it looks like that the upgrade attempt tried using the device on drive D.

Just one time only.  Reboot the system.  Then look for memory dump files with extension .DMP  so you can go ahead and delete to free up space.

It seems to me that the system did not have enough Free space.

  • Like 1
Link to post
Share on other sites

Let me suggest that you Empty the contents of the Recyle Bin as one step.
Further, look at the article cited below at Sevenforums to run the CLEANMGR tool
to help free up more space.
Memory dump files are not needed so that you can select all of those ( .DMP) to be removed.
also any error reporting files.  and Windows upgrade log files.
https://www.sevenforums.com/tutorials/76383-disk-cleanup-extended.html

Also, you may have the C:\$INPLACE.~TR and C:\WINDOWS.~Q folders left over from long ago. 
These folders contain the left over files and folders from upgrading your previous OS to Windows 7. Deleting these folders can free up and recover a large amount of space on your system hard drive (Windows 7 drive).
1. Run Disk Cleanup, click on the Clean up system files button, and then check the Files discarded by Windows upgrade box to delete.

  • Thanks 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.