Jump to content

MBAM caught malware: users/public/microsoft/windefender/svchost.exe ...


Go to solution Solved by Maurice Naggar,

Recommended Posts

... and then Malwarebytes started acting crazy not allowing the file to be quarantined, would not produce a log. When I went download the log as a text file or clip it my screen changed to file explorer and random files (mostly jpg) would get their name changed to userspublicmicrosoftwindfendersvchost.exe. I eventually was able to reproduce the log and all it really said is it found 1 file called users/public/microsoft/windefender/svchost.exe. I am unable to attach a copy of the log now as that laptop lost its wireless connection and I could not control my cursor as it jumped from screen to screen. I shut the machine down.

I suspected something might be wrong a couple of days ago as the laptop slowed to less than a crawl. When scanned using MBAM, Defender and HitmanPro, all scans came up with nothing. (HitmanPro did identify tracking cookies, but nothing more severe and it deleted the cookies.)

I haven't tried to start the laptop again, afraid that I would do something wrong.

What now? Any help would be appreciated.  Jim

Link to post
Share on other sites

Hello Jim.   :welcome:

At the very least., start Windows into Safe Mode with Networking  ( that way at least, you can upload a report, as well as other reports).

We have to have readout reports to help you properly.

See article at Tenforums  https://www.tenforums.com/tutorials/2304-boot-into-safe-mode-windows-10-a.html

 

At the very least, attach ( upload) the last Scan report from Malwarebytes

locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 
and, if you can do this at all, it would be super:   Have faith.  Have courage.  You have said the last 3 different security scans reported nothing.

This is a report tool.  It is safe. It does not make changes.

Please download MBST Support Tool

 

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

 

Thank you.   Sincerely.

 
 
Link to post
Share on other sites

I assume it is the virus that has disconnected me from my network. I am unable to connect to my network even in Safe mode. I have another laptop that I am able to use to reply and pass files etc. As you requested, the zip file of the logs is attacked here. 

Is theID numberof this email thread considered a support ticket number? I am confused as to whether or not communicating using the Forum is different than reporting my problem to Malwarebyte's Support Team.

I am thankful you got back to me so quickly, Maurice, and hope that we might be able to continue to work together to resolve my problem.

Thank you, Jim

mbst-grab-results.zip

Link to post
Share on other sites

Good morning.  This here is a open forum.  This thread here is not on the internal Support desk.   Nevertheless, you are in good hands here.

When you say your machine cannot connect to your network,  did you mean just the WIFI connection ?

.

Now a fresh new scan with Malwarebytes for Windows.

  • In Malwarebytes for Windows program, we want to do a special scan.

  •  

  • Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.

  •  

  • Then click the Security tab.   

  • Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON 👈

  •  

  • Click it to get it ON if it does not show a blue-color

  • .

  • Next, click the small x on the Settings line to go to the main Malwarebytes Window.

  •  

  • Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>   👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).     <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

There will be much more to do after this.   Please stick with me

 

Edited by Maurice Naggar
Link to post
Share on other sites

Hi Jim.  After you have done the scan above ....these are the next steps.

Please uderstand that Malwarebytes for Windows Premium's  real-time protections are keeping your pc safe from potential harm.

The message the other day from Malwarebytes was that it had stopped a pest that is classified as  "RiskWare.MisusedLegit".  It is one rogue EXE file named SVCHOSTM.EXE that is in a rogue sub-folder "WINDEFENDER".   That is a rogue.  It is not at all any legitimate file or sub-folder.  I will guide you to squashing it.  as well as getting your network connectivity back & also to getting the real Microsoft Defender antivirus service to be ON & active.

First, some preliminaries.

 

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

Next, let us try as much as possible to delete 1 file + 1 sub-folder.

  • On the Windows taskbar ,  on the Windows search box,  type in
cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.  

  • Once the Command prompt window is up,   COPY  ( the whole line AS-IS  & then PASTE  into the Command-window-box
del /s /q C:\USERS\PUBLIC\WINDEFENDER\SVCHOSTM.EXE

press Enter-key to proceed.

Reply YES to allow it to proceed  ( if prompted).   I expect none.

  • Next, do what follows.

COPY  ( the whole line AS-IS  & then PASTE  into the Command-window-box

rd C:\USERS\PUBLIC\WINDEFENDER /s /q

press Enter-key to proceed.

Reply YES to allow it to proceed  ( if prompted).   I expect none.

.

Hopefully those will succeed.   In any event, go forward with these next steps.

  • Use Windows File Explorer,  and go to your Downloads folder.   Look for a file named 
FRSTENGLISH.exe

Do you see it there ?   Yes or no  ?    Please advise.

 

  • Next, if you do not see that file, go to  C:\Users\jimrd\AppData\Local\Temp\mwb7B96.tmp

In that sub-folder, Do you see

FRSTENGLISH.exe

?   Yes or no ?

Edited by Maurice Naggar
re-edited link
Link to post
Share on other sites

Thanks for your ongoing help. And yes, it was Wifi I was referring to earlier.

The first scan I did (after getting your instructions this morning) came up clean with nothing detected. I've attached "Clean scan log (2021-07-19)".

(Note please that your link to the hudden files article directs you to our thread and not to tenforums.com.)

I have also attached a screenprint of the Windefender folder directory for your information, as well as two different Windows Script Host error messages that popped up during the command prompt exercise. And all responses were just as you suspected. Nothing there.

I do have the FrstEnglish.exe file and am ready for your next instructions.

Thanks again and I'm standing by, sir.  Jim

 

Clean scan log (2021-07-19).txt Win script host error msg 2.pdf Win script host error msg.pdf Windefender folder directory.pdf

Link to post
Share on other sites

Let's be sure that File Explorer is set to Show ALL

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 

I will have a custom script for you soon.  Did you confirm that FRSTENGLISH   -IS-   on folder Downloads     ?

Edited by Maurice Naggar
Link to post
Share on other sites

The custom script on this post is ONLY for this machine and NO other.   

The main goal here is to delete the sub-folder "WINDEFENDER"   ( that is wholly a rogue sub-folder ) +

to run System File Checker +

to hope to run Microsoft Defender scan +

to rebuild the Windows Winsock

Save this scrpt file named FIXLIST.txt  to  thye same folder where FRSTENGLISH is stored

Fixlist.txt

 

Using File Explorer, go to   the folder where FRSTENGLISH is  stored

  • RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

Click on FIX button.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

 You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

There will be more to do after this, so please, stick with me  and as much as possible, stay current with this thread.

 

NOTE:  The next time Windows is restarted, IF there is still a "exception / error" message about a missing sub-folder, just close the message box.

On the next round, I will have you get some new, fresh reports.

I will get back with you as I have the opportunity.  Kindly remember I am a volunteer here.

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

Are you talking about the script only being used on what computer? I hope you're referring to the infected computer, and not the one I have been communicating back and forth to you with?

 

Link to post
Share on other sites

This is for after the Fix task has completed on the machine with the problem.

This too is for the problem machine.  This I would like to do after the script-run has been finished.  This here is just to get a pair of report files so I can review closely.

Go to the problem-machine where FRSTENGLISH is stored.

RIGHT-click on FRSTENGLISH & select "Run as Administrator"  and reply YES to allow to proceed.

(Note: make sure there is a checkmark beside "Addition.txt")   Tick that check-box

 

image.png.0ce5d993f2b73fc32e5dd2302af50059.png

Press the Scan button.

It will make two logs (FRST.txt and Addition.txt) in the same directory the tool is run.

Please attach both logs to your next reply.

 

(Note: you may receive a warning that running this program may be detrimental to your system. FRST is a specialized tool so it does not contain the signatures of a commercially available product, hence the warning. You should have the option to run anyway, it's perfectly safe to use > click the 'More info' link, then select 'Run anyway')

 
  • Thanks 1
Link to post
Share on other sites

I am still seeing the script hst messages that says the scripts for both rumer.vbs and mouse.vbs cannot be found.

I've attached the Fixlog.txt file. Am running the next Frst scan you asked for and will forward the two reports to you assoon as I see them.

And yes, I appreciate you being a volunteer. I can't help but wonder what it is that keeps you so committed to work with so many people in my same position. The time you spend giving me direction and keeping my spirits up has incredible and I certainly am appreciative.

  • Like 1
Link to post
Share on other sites

  • Solution

This too is all for the problem machine. 

The custom script on this post is ONLY for this machine and NO other.   

The main goal here is to delete any remains the sub-folder "WINDEFENDER"   + 2 leftover "Tasks"  that attempt to load 2 rogue VBS files  at each Windows start +

to run System File Checker +

to run the Windows DISM tool +

to turn back on the Microsoft Defender antivirus.

 

FIRST, go to the Downloads folder & DELETE the old Fixlist.txt

 

Save this script file named FIXLIST.txt  to  the Downloads folder

Fixlist.txt

 

 

Using File Explorer, go to   the Downloads folder

  • RIGHT click on  FRSTENGLISH.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

Click on FIX button.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

 You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

There will be more to do after this, so please, stick with me  and as much as possible, stay current with this thread.

  • Like 1
Link to post
Share on other sites

I'm going to knock on wood, keep my fingers crossed, and say a little prayer that all is back to the way it should be. I've seen no sign of the script host errors and Wifi fired up real quick and is taking on speed.

Marcel, you are truly one in a million and you've given me a new resect for being super avoidant of anything thatmight resemble something very nasty. Thank you so much for your patience, your time, and your knowledge.

Jim

Link to post
Share on other sites

Hey, glad to help.   One thing I would like you to check on is the Microsoft Defender antivirus.  Look thru its GUI screens & check to see that you can Check for Update on the definitions, and then do a Scan with it.

This is one way to do a manual scan using the Microsoft Defender antivirus, as well as to visually check protection status.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

image.png.53b8290f51fb52ad1f67f2be5d1a7198.png

 

Next, In Windows Security section: Click on the grey button Open Windows Security

image.thumb.png.770ff10e37da546f33963da571bd3378.png

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status and that protection is on.

 

image.thumb.png.d3c40d161bda6630f463e83ce53f9782.png 

On the next display, look at all the options.  Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options. ( You can do Quick, Full, or Custom).

NOTE: If you have the time / opportunity, select a Custom scan & scan the C drive   ( one time as a safety check ).

 

image.thumb.png.1bfbd5b3023eeabe0dbea2025a5fa556.png

 

NOTE: On this last screen, be sure to review the section on Exclusions to be sure that nothing of the path, process, or file /folder exclusions are ones that you yourself did not place there on your own.

 

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.