JoaoBarreio Posted May 26, 2021 ID:1459622 Share Posted May 26, 2021 Malwarebytes keeps finding malware that has been previousle moved to quarant inte. I attached the malwarebites scan results. Thanks scanresult.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 26, 2021 ID:1459648 Share Posted May 26, 2021 Hello My name is Maurice. Much patience is needed throughout all of this. There often is not a single quick one step solution. i will need some reports as well. Please download MBST SAVE it first. Once you start it click Advanced > Gather Logs once it is done. Attach the mbst-grab-results.zip from the Desktop. Sincerely. Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459651 Share Posted May 26, 2021 Many thanks for the prompt answer. Here is the requestembst-grab-results.zipd folder. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 26, 2021 ID:1459656 Share Posted May 26, 2021 It is best practice to have the Windows Fastboot option OFF. ( Also sometimes called Fastart for Windows 10). In several ways, as mentioned many times on this forum, Fastboot will lead to quirky situations. Keep it off. See the how to guide https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html Let me know after. We will then begin other steps. Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459659 Share Posted May 26, 2021 Fasboot option is now OFF! Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 26, 2021 ID:1459665 Share Posted May 26, 2021 Hi. Thanks. I have two things to do with the aim being to clear up the trojan.browserhijack [ 1 ] Use option One or Two so that Windows shows ALL folders / all files https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html [ 2 ] The following custom script is to do cleanups. The script Fixlist.txt needs to be saved to the Downloads folder. The custom script on this post is ONLY for this machine and NO other. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. The system will be rebooted after the script has run. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt Start the Windows Explorer and then, to the Downloads folder. RIGHT click on FRSTENGLISH.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. IF Windows prompts you about running this, select YES to allow it to proceed. on the FRST window: Click the Fix button just once, and wait. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity Then do a new Scan with Malwarebytes for Windows. Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459681 Share Posted May 26, 2021 Here follows the FIXLOG.txt file Fixlog.txt I've just made a scan with Malwarebytes and the report says nothing was found. I believe, however, the problem is not entirely solved. I am having a problem with writing marks (since I am portuguese) and they all appear duplicated when i press the keyboard key... like ´´~~^^ .I am not pressing twice, I press once and it writes twice, but only on programs. On windows search tab they work fine, but if naming a folder, for instance, it doesnt't work again... Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459683 Share Posted May 26, 2021 Sorry it just found something again... still related with that "Kfgk" folder... 😔 Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459684 Share Posted May 26, 2021 7 minutes ago, JoaoBarreio said: Here follows the FIXLOG.txt file Fixlog.txt 1.92 kB · 0 downloads I've just made a scan with Malwarebytes and the report says nothing was found. I believe, however, the problem is not entirely solved. I am having a problem with writing marks (since I am portuguese) and they all appear duplicated when i press the keyboard key... like ´´~~^^ .I am not pressing twice, I press once and it writes twice, but only on programs. On windows search tab they work fine, but if naming a folder, for instance, it doesnt't work again... About this problem.. when I reboot the computer in the first moments it is ok.. only after a few seconds from the session start the marks problem begins. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 26, 2021 ID:1459692 Share Posted May 26, 2021 I very much prefer to have actual Scan Report files rather than screen images. Second, the keyboard issue is not malware. You need to flip the keyboard case upside down & see about shaking loose any dust or foreign particles. And look all around the keyboard area for junk. Be sure it is clear. . I have a new Fixlist here. Delete the one from before. Save this new one to Downloads. Fixlist.txt Do a new Fix with the FRSTENGLISH Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459700 Share Posted May 26, 2021 Here goes the new fixlog file. Fixlog.txt It seems there is something always triggering the malware... scanresult.txt Just to show you the keyboard issue: im doing it with the keyboard on screen. testing ~~ ´´ ~~~~ 26.05.2021_23.21.58_REC.mp4 As you see i press once on the key and it writes twice the mark, not even letting to put a letter... Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 26, 2021 ID:1459707 Share Posted May 26, 2021 I would suggest a free scan with the ESET Online Scanner Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Please attach the log report. Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 26, 2021 Author ID:1459720 Share Posted May 26, 2021 ESET_scanlog.txt So, ESET just finished scanning and identified only one file, which I'am pretty sure is not the source of the problem... Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459723 Share Posted May 27, 2021 Next. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic. Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 27, 2021 Author ID:1459726 Share Posted May 27, 2021 It is getting late here. I'll let MBAR tool scanning at night and reply with the files asap. Many thanks for your time Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 27, 2021 Author ID:1459789 Share Posted May 27, 2021 It is done, here follows the MBAR logs. system-log.txt mbar-log-2021-05-27 (01-21-51).txt Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 27, 2021 Author ID:1459790 Share Posted May 27, 2021 malwarebytes log.txt I run malwarebytes and it still finds the 6 threats... I am getting a little desperate, I can't work in these conditions... Has I have all important files on cloud or exernal drive, can I make a hard reset on windows? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459800 Share Posted May 27, 2021 I regret all the trouble you are having. This last run of Malwarebytes for Windows found items in C:\ProgramData\Kfgk\Jebt The MBAR tool found items in C:\ProgramData\Kfgk\Xznbl You can delete the folder C:\ProgramData\Kfgk As well as all folders below it. . I would like you to also do Run Roguekillerx64 like on this one post of mine https://forums.malwarebytes.com/topic/269932-random-usb-connect-noises-at-time/?do=findComment&comment=1435959 . As to your last point about the Windows Operating system. See this article at Tenforums "How to Refresh Windows 10" https://www.tenforums.com/tutorials/4090-refresh-windows-10-a.html Consider doing a 'REFRESH' Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 27, 2021 Author ID:1459802 Share Posted May 27, 2021 RK_report.txt I have hard deleted the folder. Rogerkillerx64 quick scan finds nothing... I'm now running also a standard scan. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459804 Share Posted May 27, 2021 I could not read most of that report. Let me suggest that you do this. 1 Empty the Recycle Bin 2 Restart Windows into Safe Mode with Networking. Do a new Scan with Malwarebytes. Be sure all threats are Removed. Also, run MBAR 3. Restart back into Normal mode 4. Do new Scan with Malwarebytes Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459806 Share Posted May 27, 2021 (edited) If there is still problems by this point, then I would suggest you do the procedures outlined by AdvancedSetup on this one post https://forums.malwarebytes.com/topic/272636-i-am-in-dire-straits-computer-lock-out/?do=findComment&comment=1449678 This involves making a special USB flash thumb drive by running the Microsoft Media Creation Tool + putting FRST64 on it + booting up machine with it Into Recovery mode + running FRST64 And you post back here the new reports FRST + Addition. After which I will review & guide you. I am concerned that this machine has a repeating re generating trojan . The report run here would be just one first step. Edited May 27, 2021 by Maurice Naggar Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 27, 2021 Author ID:1459808 Share Posted May 27, 2021 35 minutes ago, Maurice Naggar said: I could not read most of that report. Let me suggest that you do this. 1 Empty the Recycle Bin 2 Restart Windows into Safe Mode with Networking. Do a new Scan with Malwarebytes. Be sure all threats are Removed. Also, run MBAR 3. Restart back into Normal mode 4. Do new Scan with Malwarebytes I restarted in safe mode with network, ran Malwarebytes and nothing was found: Malwarebytes_log_safemode.txt Then I ran MBAR and nothing was found: system-log_safemode.txtmbar-log-2021-05-27 (15-19-12)_safemode.txt Then restarted in normal mode, ran Malwarebytes again and the 6 threats were found again (Malwarebytes_log_after.txt) on the folder I had deleted before, so definitely there is something re-generating this malware. My question is: is it worthy to make the USB flash procedure and FRST64 or, as I am willing to do it, is it faster and straightforward to make a hard reset to windows? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459809 Share Posted May 27, 2021 It is important that we get a fuller idea of what is going on by doing the special procedure with the USB. It is worth doing it. We need to see those new readouts from that special bootup. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 27, 2021 ID:1459815 Share Posted May 27, 2021 I am making a special effort to stick around & monitor your Topic. How is it going ? Link to post Share on other sites More sharing options...
JoaoBarreio Posted May 27, 2021 Author ID:1459819 Share Posted May 27, 2021 Ok.. so I am not quite sure if I did it right. I have downloaded the windows recovery tool and used it on a USB flash drive. Then rebooted from that USB and on ran the FRST64 from the cmd. However, there was no "addition" option no mark. So, only this file was created. FRST.txt Link to post Share on other sites More sharing options...
Recommended Posts