EdoardoMB Posted July 23, 2021 ID:1470790 Share Posted July 23, 2021 Hi everyone and thanks in advance for any help I will receive. Recently I have noticed the fan turning up when the pc was in idle, when opening task manager I would see the cpu between 60-99% for a split second and then see it drop to the normal 2-3%. I runned the quick scan (the one that you call Threat Scan I think) that had no result (report below), then I runned an advanced scan (the settings for this scan are attached below) that found a Trojan.SmokeLoader. Since the quarantine of this file the computer behavior has not changed so here I am. I'm a computer noob but I think that the virus shut itself when I open the task manager, I did some test and the cpu act normal when the manager is running but if I close it for a moment the cpu will go up to at least 60%. Since you have a pinned post about it I must confess that the virus probably come from a pirated game, I downloaded a bunch two years ago and another one the last month, I can't exclude that the virus have been there for over two years. I also don't know what to do with qBitTorrent, the pinned topic say to not uninstall anything but also to disable it, let me know. report_quickScan_22_07_17_11.txt report_advancedScan_22_07_17_34.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 23, 2021 Root Admin ID:1470819 Share Posted July 23, 2021 Hello @EdoardoMB and Let's start by doing a bit of general clean up and see if that helps with your issues. Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work. Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. fixlist.txt Thanks Link to post Share on other sites More sharing options...
EdoardoMB Posted July 23, 2021 Author ID:1470821 Share Posted July 23, 2021 Thank you very much for the reply, I will get back to you tomorrow when I will be able to run the script. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted July 23, 2021 Root Admin ID:1470824 Share Posted July 23, 2021 You're quite welcome. Post back the FIXLOG.txt when ready. I'll try to follow up over the weekend but if not then for sure on Monday Cheers Link to post Share on other sites More sharing options...
EdoardoMB Posted July 24, 2021 Author ID:1470879 Share Posted July 24, 2021 Here is the fixlog Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 26, 2021 ID:1471141 Share Posted July 26, 2021 Hi EdoardoMB. My name is Maurice. I'm filling in for Advancedsetup for a bit. Thanks for the Fixlog. I would suggest the following as a next step. I would suggest a free scan with the ESET Online Scanner. This will be another check for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. Please make sure you attach the log report. Link to post Share on other sites More sharing options...
EdoardoMB Posted July 26, 2021 Author ID:1471212 Share Posted July 26, 2021 Hi Maurice, here is the log report, it look really short and not detailed so tell me if I got the wrong file. ESET has found nothing, is it because I quarantined the first file with MalwareBytes? In any case the cpu usage has not changed report_eset.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 26, 2021 ID:1471214 Share Posted July 26, 2021 That is the right report. Next steps. Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html . [ 2 ] The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Look on Scan Options & select FULL scan. Then start the scan. Have lots of patience. It may take several hours. Let me know the result of this. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at C:\Windows\debug\msert.log Please attach that log with your reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 26, 2021 ID:1471218 Share Posted July 26, 2021 For after you have completed the steps above & when you have quiet time. First a comment about Task Manager's initial display. You said Quote I have noticed the fan turning up when the pc was in idle, when opening task manager I would see the cpu between 60-99% for a split second and then see it drop to the normal 2-3%. It is important to not view the first percentage of use displays as actual realistic numbers. You need to wait at least for a minute or 2 minutes. . I do not see Avira Antivirus currently installed. I would ask if you uninstalled it recently ? yes or no. Answer later. . As I said, when you are caught up, I need two reports from this machine. [ 1 ] This is a different sort of report. I want to check on the security status of some services. Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. 😁 [ 2 ] I would urge getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt 1 Link to post Share on other sites More sharing options...
EdoardoMB Posted July 26, 2021 Author ID:1471225 Share Posted July 26, 2021 About Avira, I uninstalled it last week Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 26, 2021 ID:1471226 Share Posted July 26, 2021 OK. Just please finish the one Safety scan by MS & get for me the 2 reports. No need to rush. I will look forward to 3 reports. Cheers. 1 Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471280 Share Posted July 27, 2021 Here are the reports. I need to say that something could be wrong whit the MS Scan report, maybe its normal but before I went to bed it had already found one infected file, the scan starting time also is wrong. msert.log FSS.txt SecurityCheck.txt Link to post Share on other sites More sharing options...
TwinHeadedEagle Posted July 27, 2021 ID:1471296 Share Posted July 27, 2021 Trojan.SmokeLoader detection was a false positive, you can restore this detection from quarantine C:\PROGRAMDATA\FIREFLY STUDIOS\STRONGHOLD KINGDOMS\2.0.34.17\GECKOFX\XULRUNNER33\PLUGIN-HANG-UI.EXE Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471309 Share Posted July 27, 2021 If you are sure then ok, but I'm running another Microsoft Safety Scanner full scan and as of now there are 14 detection. Sorry if I'm bothering you too much, I just want to be sure the computer is fine. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 27, 2021 ID:1471328 Share Posted July 27, 2021 Thank you Djordje. @EdoardoMB Has that Safery Scan finished ? Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471330 Share Posted July 27, 2021 8 minutes ago, Maurice Naggar said: Thank you Djordje. @EdoardoMB Has that Safery Scan finished ? Not yet, 6 hours and still going. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 27, 2021 ID:1471332 Share Posted July 27, 2021 Please note that the first MS Safety Scanner reported "no" malware. No infection found. Microsoft Safety Scanner Finished On Tue Jul 27 09:48:43 2021 Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471338 Share Posted July 27, 2021 Yes I read the report, I was pointing out that while the scanning was in progress it said there was infected files while at the end the report was clean. I don't know if that is very common or not, I just wanted to let you know because maybe it could help. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 27, 2021 ID:1471339 Share Posted July 27, 2021 Discount any intermediate meesages. It is the bottom line result that matters when it completes the run. Sorry to say, but those intermediate messages are just wrong. Its been pointed out by others before. Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471340 Share Posted July 27, 2021 Understood, so in the end it was a false positive, very good news. Thank you very very much for your help Maurice, If you want I will follow up whit this last scan otherwise you can close the topic. And if you don't mind I have a last question about the Addition file from FRST. Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 27, 2021 ID:1471362 Share Posted July 27, 2021 Hi. Let me know what question you have regarding FRST. The SecurityCheck tool has listed a few applications & drivers that need to be updated for the latest security releases. Make time & take care of those. NVIDIA GeForce Experience 3.20.5.70 v.3.20.5.70 Warning! Download Update Discord v.0.0.310 Warning! Download Update Zoom v.5.3.1 (52879.0927) Warning! Download Update Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471374 Share Posted July 27, 2021 I will check the drivers, the safety scan is clean. About FRST, in the addition file there is this list of sites that are correctly listed as fake, the thing is I'm pretty sure I've only visited one of them and certainly not everyone. Why are they all they here? Are they here because I accidentally downloaded from one of them? Is it something I should worry about? Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted July 27, 2021 Solution ID:1471391 Share Posted July 27, 2021 Those are contents on this machine's Windows HOSTS file. Cannot tell how the entries got there, except to guess that in one way or another it would involve a visit to a website and accepting a download. In any event, the custom script below will reset the HOSTS file to the normal one. Please first Delete the old file named Fixlist.txt on the Desktop. Next download the attached fixlist.txt file and save it to the Desktop. Fixlist.txt NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This custom script will set the HOSTS file to a normal one. The standard one from Microsoft Windows. The system will be rebooted after the fix has run. Please attach the Fixlog.txt. Let me know if you need other help. Cheers. Link to post Share on other sites More sharing options...
EdoardoMB Posted July 27, 2021 Author ID:1471412 Share Posted July 27, 2021 Here is the fixlog 😁 Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 28, 2021 ID:1471422 Share Posted July 28, 2021 The run is good. The HOSTS file is reset. Tell me, do you need other help ? Link to post Share on other sites More sharing options...
Recommended Posts