Jump to content

failed Malwarebytes install solved + Trickbot Gootkit


Go to solution Solved by Maurice Naggar,

Recommended Posts

I do not understand why you made so many one-line posts.   Tell me, is the Recycle Bin icon the only thing that is a issue now ?

Tell me, did you manage to merge the wuauserv.reg file ?

You indicate that the Microsoft KB update has finished.  Is that right ?

Do us both a favor, do one Windows Restart   and then wait for the system to settle back.

.

Then I would request one fresh report from FRSTENGLISH.  Just reports.

A report tool named FRSTENGLISH is already present on Downloads folder.

Go to the Downloads folder.

  • RIGHT-click with the mouse on FRSTENGLISH  & select "Run as Administrator"  to start it.
  • When prompted to allow it to run, reply YES   and let it go forward.
  • When the tool opens click Yes to the disclaimer.
  • Now, be sure to TICK the check-box marked "Addition.txt "   ( like in picture here).
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually
  • Please attach both logs to your reply.
  • To save attachments please click the link "ADD FILES". Then browse to where your file is located and select it and click the Open button.
Link to post
Share on other sites

5 minutes ago, Maurice Naggar said:

I do not understand why you made so many one-line posts.   Tell me, is the Recycle Bin icon the only thing that is a issue now ?

Tell me, did you manage to merge the wuauserv.reg file ?

You indicate that the Microsoft KB update has finished.  Is that right ?

Do us both a favor, do one Windows Restart   and then wait for the system to settle back.

.

Then I would request one fresh report from FRSTENGLISH.  Just reports.

A report tool named FRSTENGLISH is already present on Downloads folder.

Go to the Downloads folder.

  • RIGHT-click with the mouse on FRSTENGLISH  & select "Run as Administrator"  to start it.
  • When prompted to allow it to run, reply YES   and let it go forward.
  • When the tool opens click Yes to the disclaimer.
  • Now, be sure to TICK the check-box marked "Addition.txt "   ( like in picture here).
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've run it before it may not and you may need to select it manually
  • Please attach both logs to your reply.
  • To save attachments please click the link "ADD FILES". Then browse to where your file is located and select it and click the Open button.

Tell me, did you manage to merge the wuauserv.reg file ?  yes it is fixed

Link to post
Share on other sites

Thanks for the FRST report.  I notice that Microsoft Defender antivirus services are running.  That the Malwarebytes for Windows protection services are running.

The scan by Malwarebytes and with Microsoft Safety scanner indicate there are now no malware. We are past the major hurdles.

Later on, I will have a set of safer practices for you, plus tips on beefing up the security on all web browsers.

The original issue of not being able to install Malwarebytes has been resolved.  In the proces, I found that this machine had a pretty serious Trickbot-type infection.  That has been removed.  Just understand that the infection was quite serious.  It had made the sub-folders of where it hid itself to be "excluded" from scanning or monitoring by Microsoft Defender.

These were some of those excluded sub-folders:

"C:\Windows" 
"C:\WINDOWS\rss" 
"C:\Users\eddyd\AppData\Local\Temp\csrss" 
"C:\Users\eddyd\AppData\Roaming\BlueViolet" 

"C:\WINDOWS\windefender.exe" 
"C:\Users\eddyd\AppData\Local\Temp\wup" 
"C:\WINDOWS\System32\drivers" 
"C:\WINDOWS\System32"

It also made a global exclusion for all EXE file types. Plus, it had deleted the Windows service entry for "Windows Update" service.

All the bad-guy exclusions are now removed   ( since the last Fix run we did, before).  Effectively, the prior infection made itself to be untouchable by the Defender antivirus.  As I say, this has all now been fixed.

.

I would like for you to read all of this below.  And for sometime today, to do one Check for Updates run for Microsoft Defender antivirus, and 

to do one QUICK scan with Microsoft Defender antivirus.

This is one way to do a manual scan using the Microsoft Defender antivirus, as well as to visually check protection status.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

image.png.53b8290f51fb52ad1f67f2be5d1a7198.png

 

Next, In Windows Security section: Click on the grey button Open Windows Security

image.thumb.png.770ff10e37da546f33963da571bd3378.png

Now, click on the shield Virus and threat protection

By the way, when you see a green check-mark on your display, it means a good status and that protection is on.

 

image.thumb.png.d3c40d161bda6630f463e83ce53f9782.png 

On the next display, look at all the options.  Look down the list and see "Check for Updates" which I have highlighted with a blue icon.

You can click on that to have the system check for updates for Windows Defender.

Please also note that the Scan options (all) can be displayed by clicking on Scan options. ( You can do Quick, Full, or Custom).

NOTE: If you have the time / opportunity,  say at the end of your computer day this evening,  select a Custom scan & scan the C drive   ( one time as a safety check ).

 

image.thumb.png.1bfbd5b3023eeabe0dbea2025a5fa556.png

 

NOTE: On this last screen, be sure to review the section on Exclusions to be sure that nothing of the path, process, or file /folder exclusions are ones that you yourself did not place there on your own.

 

Link to post
Share on other sites

all the scans were good!! thanks for your help! i also did a full scan it was finished in 10 min! no problems detected!

 

 I will have a set of safer practices for you, plus tips on beefing up the security on all web browsers.  i am exited and wait for you!

Edited by Eddy68
Link to post
Share on other sites

Good.   :D

[   1    ]

Beefing up web browsers:

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

[    2    ]

Your EDGE browser & the Chrome browser have the Malwarebytes Browser Guard.  If you use Mozilla Firefox, then add to it the Malwarebytes browser guard too.

 

[    3    ]

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

 

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

               Click on the MORE INFO spot and over-ride that and allow it to proceed.

               This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

.

 

I do believe that this pc now does not have malware.

Can't be sure how this pc's Microsoft Defender got these folder exclusions. But Trickbot & Gootkit malware use tricks to set exclusions for Microsoft Defender,  { See more info about Trickbot here https://www.malwarebytes.com/trickbot  ).
You can read about Gootkit here  { just ignore all ads on page ) https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/  

My view is that the infection likely was done by some drive-by visit to some site or more likely a download. It is also possible that a visited site simply was compromised & then when visited, started the infection chain.
Another possibility could have been a mistaken click to "allow" in lieu of "quarantine or remove" when prompted by Microsoft Defender.

Since Malwarebytes Premium has multiple real-time protections, including against trojans like Trickbot, I would recommend that you have the Premium license for Malwarebytes so that all pc's & devices are covered.

As to making your system more secure, there is a bunch of suggestions at this post 
https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/?tab=comments#comment-1372004

 

Securing each web browser ( as appropriate) with Malwabytes Browser Guard is recommended.
Personal practices with the keyboard and the mouse  ( like slowing way down on clicking spots on a web page) are one huge area for safety.
In other words, not to be super quick to "click" with finger on mouse.
Not using "torrents" to get or share free stuff is another best practice.   Be extremely careful of what you download.

Cheers.

Link to post
Share on other sites

  • AdvancedSetup changed the title to failed Malwarebytes install solved + Trickbot Gootkit

Good morning. Hello @Eddy68 

I would like to check in with you. Have you run the SecurityCheck tool ?   Have you installed the Malwarebytes Browser Guard on the web browsers ?   How is the situation at this point ?

Edited by Maurice Naggar
Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.