Jump to content

PC infected by malware

Bonehead
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Bonehead

Bonehead

Posted
Posted

Hello!

So I just recently ran up a full scan and an offline scan using windows defender due to me installing a suspicious app and so I thought and was hoping that windows defender might actually detect them all and remove it, unfortunately it didn't. Though it showed some threats after the scan and I swiftly removed it, I noticed in the exclusion tab the (folders w/ random characters) that I've also notice when checking up program files since I've already had the intuition that I just messed up. Anyway, they are excluded and can't be remove after the scan. And I also notice in my Google Chrome having this "Managed by your organization" thing in which I likely believe is also done by the malware since this pc is for personal use only. 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. Thanks for the reports.

Let's start with a few steps for Chrome browser. Disregard the title of the cited post.

please do the top 9 steps.

The gist is to clear the Sync setting of Google Chrome.

Next, do a new scan with Malwarebytes for Windows and then attach the Scan log report.

These are only just first steps.  You had listed a few different issues.  So more to do later

 

 

Link to post
Share on other sites
Bonehead

Bonehead

Posted
  • Author
Posted

It was the Windows Defender Security under the Virus and Threat Protection tab. So, what happened is that after finding out that instead of having an installed application from the suspicious application that I recently downloaded and install, it turned to be an installer that just injected malwares to my system thus I checked my program files for shady file folders and task manager then I started running a full scan and an offline scan. Though, it detected some threats and me swiftly removing it, I also notice that under the Virus and Threat Protection Exclusion tab the folders that has a file name w/ random characters that I was aware of were excluded and can't be removed.

By the way, regarding the Google Chrome (Managed by your organization) thing, after following the instructions above, it is still showing. Just wondering if it's completely fine now that I have scan it and resulted with zero threats.

 

Screenshot_1.png

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

This here is just about one factor for Windows 10 Microsoft Defender. See this link 

https://answers.microsoft.com/en-us/windows/forum/windows_10-security/windows-10-some-settings-are-being-managed-by-your/46094760-f198-46bd-a50e-111da80967c6 

 

Check the answer by Ramesh at Microsoft Answers forum. See if it applies to your machine.

Check real-time protection setting in Computer Configuration.

 

 

Link to post
Share on other sites
Bonehead

Bonehead

Posted
  • Author
Posted

Ohh, and one more thing, how do I proceed now into safely removing those malwares given that I've already provided the log files? As of now I have like 44 quarantined threats (scanned by malwarebytes) + those folders that are excluded (windows defender exclusion tab).

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

You are indicating you have checked on the Defender real-time protections & looked & compared to what Ramesh cited & that you did not see any greyed-out lines.

That being so, we will need to check other potential areas.

That I will need to research & get back to you. It will likely be another day or so from today.

As to what Malwarebytes had quarantined before, there is no cause to fret. Those items are no longer a factor. They stay in Quarantine where they are neutralized.

At this time, do a special scan with ESET Online scanner like on this post 

and when it is all done, attach the log from it here.  Thank you.

Thanks for your patience.

 

 

 

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks for the ESET Online Scan log. It found & removed 2 javascript files & 2 exe files.

Next I would suggest that you run a FULL  option scan using the Microsoft Safety scanner. Use the directions from next link , with only difference being a FULL scan.

Then when done attach the report.

https://forums.malwarebytes.com/topic/270795-malware-found-and-quarantined-but-report-says-no-action-by-user/?do=findComment&comment=1440485

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Good afternoon. I hope you are doing well. I look forward to reviewing the log report from the Safety Scanner.

These here are other measures we need to do. They will help in our later steps.

1. We need to insure that this Windows is set to show all Folders. Including any system & hidden folders.  Use the cited how-to to make the tweaks in Windows Explorer.

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

2. It's possible this system has Windows "Controlled File Access" on.  If so, that may account for some access issues that keep us from making corrections or adjustments.  We need to insure it is OFF.  See the guide & insure it is OFF.

https://www.tenforums.com/tutorials/113380-how-enable-disable-controlled-folder-access-windows-10-a.html

.

3. This sys is Windows 10 PRO. It is quite possible it may have some group policy set that affects attempts to manage or update folder exclusions on Microsoft Defender.

Run "GPEDIT.MSC"

That is the local group policy editor. See what policies ( if any ) are for Microsoft Defender.

4. Referring back to the odd-named 6 sub-folders that are excluded in Defender. They were sub-folders of C:\Program Files (x86)

You should be able to see each one.  Look at all contents.  Delete all contents.  Then delete each one of those 6 sub-folders.

5. Removing each of the listed entries themselves should be possible by at least 3 different ways.

The most straightforward is on the screen you captured earlier. By going into Windows Security , doing one exclusion folder at a time, selecting one & then clicking the button Remove.

Link to post
Share on other sites
Bonehead

Bonehead

Posted
  • Author
Posted

And regarding about your latest instructions, already turn on "show all folders" however I only managed to see this one (attached image) don't know if that is the right one though. 

I also can't seem to find any of those sub folders in C:\Program Files (x86) other than being excluded and also the straightforward solution unfortunately it still doesn't work, it is still greyed out. 

 

 

Screenshot_1.png

Link to post
Share on other sites
Bonehead

Bonehead

Posted
  • Author
Posted

Ohh, I also forgot to include the other four since I only intend to give an example of those excluded files that can't be removed and it just so happens that most of them came from C:\Program Files (x86). Here are the others...

 

The thing here is that, I managed to delete those sub folders with the exception of C:\Users\r a y a\AppData\LocalLow\ILHZGwhVipbzG because it's nowhere and even though I deleted three of them, they still show up in the exclusion tab and still can't be removed  . All of those that I've deleted contains nothing so I'm assuming that those C:\Program Files (x86) sub folders were kind of similar and maybe they were already washed out in the earlier scans but then again it's just an assumption. :D

Screenshot_2.png

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

Thanks for the scan report. Good result.

OK.  What follows is a custom script to remove some policy restrictions.  

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved in Downloads.

 

The custom script on this post is ONLY for this machine and NO other.   This custom script is for  Bonehead  only / for this machine only.

 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt   to the  Downloads folder

 

Start the Windows Explorer and then, to the Downloads folder.

 

RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its thing.  

Do let me know how things are overall,  after all this.

Fixlist.txt

Link to post
Share on other sites
Bonehead

Bonehead

Posted
  • Author
Posted

Alright, so here is the Fixlog.txt and after the reboot I notice those excluded folders as well as the your "browser is managed by your organization" is totally gone. I guess that was it then.

Anyway, I sincerely appreciate the time and effort you had to spare just to respond to my request and with that thank you so much! 

Fixlog.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi. Bravo !  😇 

Be sure to do a Backup of this system at your next chance. Backup is your best friend.

You are very welcome.  I am glad to have worked with you.  

We can proceed with cleanup of tools we used.

 

To remove the FRST  tool & its work files, do this.  Go to your Downloads folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .

Then run that ( double click on it)  to begin the cleanup process.

 

Delete msert.exe

Delete the esetonline download file.

Any other download file I had you download, you may delete.  

I wish you all the best.  Stay safe.

Sincerely.

Maurice

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.