Jump to content

C:\WINDOWS\ASSEMBLY\TEMP\1VW2BT06IS\PRESENTATIONFRAMEWORK.NI.DLL


Recommended Posts

Hello!

 

My grandmothers Windows 7 pc had stopped working properly about a month ago. It would blackscreen at startup right after the Windows logo and "Welcome to Windows/Starting up Windows" text.

I tried taking a look at it today and after some googling I booted it up in Safe Mode (with networking) and it works. I am honestly in way over my head with this task but I decided to see if updating some drivers would fix the issue and after giving that my best shot I decided to install and run Malwarebytes for good measure. I tried running a full/custom scan but that option was hidden because of the wonky zoom and program window sizes in Safe Mode so I was only able to run a threat scan.

It came up with one Threat detected. I tried to follow the location path (written in title) to it but I couldn't find it on the pc. Then I tried googling it and the only thing I could understand was that it might be a false positive.

I've been at this all day and I am exhausted. I don't understand anything properly and because of that I thought it would be wise to check here if anyone can tell me what this is, if it's a false positive and whether or not it's safe to delete ?

Thank you very much in advance!

 

This is the scan log:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/13/21
Scan Time: 4:51 PM
Log File: a1f1fbe8-1499-11ec-b473-7071bc685c1f.json

-Software Information-
Version: 4.4.6.132
Components Version: 1.0.1453
Update Package Version: 1.0.44932
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Oma-HP\Oma

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 242602
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 10 min, 30 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Malware.Heuristic.1003, C:\WINDOWS\ASSEMBLY\TEMP\1VW2BT06IS\PRESENTATIONFRAMEWORK.NI.DLL, Delete-on-Reboot, 1000001, 0, 1.0.44932, 0000000000000000000003EB, dds, 01420564, 2225D5236F3979EB4BE2811E4FEB3DAA, F016434C75750EFC09C40EE68CA5B9D3ED329D0F7AE39C5C2818EC2192F218ED

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

 

Thank you again =)

Link to post
Share on other sites

Hello     :welcome:

My name is Maurice.  Let me know what name you prefer to go by.  I will guide you.

I need a report set for review.   This is a report only.

Please download MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along.

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

Hello Maurice =) My name is Annie.

Thank you for replying so fast and I am sorry for my delayed response, I had to take some time away from the screen.

The computer is currently still open in Safe Mode and I have not restarted it yet. Should I download and run the MBST Support Tool first (without restarting to delete the DLL) and provide you with the results or should I restart the computer inorder to delete the DLL first and only then download and run the MBST Support Tool and provide you with the results ?

Additionally, once I do restart, would you recommend me to try to let it boot normally and see if it works (if it just blackscreens again I will have to turn the computer off by pressing the power button again and I do not know how healthy for the computer it is to do that) or should I restart it back into Safe Mode ?

Thank you so much for assisting me =)

 

1 hour ago, Maurice Naggar said:

Additional note.  That DLL file does NOT belong in a TEMP sub-folder.   period.

That sounds ominous and interesting! What/what sort of a malware do you think it is ?

 

Link to post
Share on other sites

Hi Annie.   :D

Go ahead and Restart Windows so that machine is in normal mode.  Then get the Support tool & do the Gather logs & attach the ZIP report.

Not sure & I cannot tell what that DLL does.   Just do not be over-concerned.  It is stopped.  and I will be guiding you forward.  We will need to have Windows in normal mode as we work the case.

Link to post
Share on other sites

Hi again =)

The restart worked fine and the computer is in normal mode now! ^^ I'm pretty happy as I was afraid that it would still blackscreen.
I wonder if the weird DLL was causing the blackscreening issue or if it was the driver updates that fixed it.

20 minutes ago, Maurice Naggar said:

Not sure & I cannot tell what that DLL does.   Just do not be over-concerned.  It is stopped.  and I will be guiding you forward.

I see, I understand. Thank you very much for guiding me. ^^

I am however very curious about what it is and what it does and even more so about how and when it got there. It is a second hand pc that is mainly used by my grandmother (but also other people) but it has worked fine for many years
and to the best of my knowledge I was the only user for about a couple weeks, maybe a month, before the issue presented itself and while I don't think that I did anything risky I would very much like to know what mistake I, or someone else, did to get this computer infected(?). Is this something you can help me find out ? =)

 

 

2 hours ago, Maurice Naggar said:

Please download MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

I did all this except I was not presented with an option to "upload an archive" but perhaps I am misunderstanding somehow ? =)

In any case, here is the ZIP report!

Thank you ^^

mbst-grab-results.zip

Link to post
Share on other sites

Hi, thanks very much for the report file.  That is a tremendous help.
It is not possible to know how this machine got infected. There just is not a unified global log on the machine that would have the answer.
But one can point to the most typical ways. Maybe someone attached a infected USB-thumb-flash drive. There are always the other typical ways:
Being too quick on the Click-finger & downloading some free thing. or a drive-by intrusion when using a web browser thru a infected or compromised website. Or, downloading a hack tool to get around paying for a software app. Opening attachments from a Email ( without first scanning it with antivirus) is often a avenue for infection.
Below I list a couple of articles on the subject.
How Did My Protected PC Get Infected?
https://www.pcworld.com/article/202771/protected_but_infected.html

How did I get infected
https://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

You report this machine is a second-hand machine. Did someone erase the hard drive & then do a clean new install of Windows 7?
Most pc's have a method from the computer manufacturer ( on a hidden partition) to do a "factory restore" operation to reset the system to the way it came out Day 1 at the factory.
.
Be aware this machine has 2 Adobe Flash player apps that are way way obsolete, plus Adobe no longer supports them.
You need to Uninstall both
Adobe Flash Player 21 ActiveX 
Adobe Flash Player 23 NPAPI 
.
Obsolete apps are one thing that malware exploits.
.
Please also be very conscious that Windows 7 is very much unsupported by Microsoft.  It has not been getting security updates.  This operating system is at risk of future infections due to the Operating System being unsupported.  Windows 11 & the upcoming Windows 12 operating systems are much more secure.
.
Here below is a custom run intended to do some cleanups.  Please take time to read carefully & apply all directions below.

If you have a question, stop and ask me first.

Your Downloads folder is  C:\Users\Oma\Downloads

We will use FRSTENGLISH.exe   to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  UhhConfused  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   C:\Users\Oma\Downloads folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Edited by Maurice Naggar
Link to post
Share on other sites

Hi and good day! ^^

Thank you very much.

8 hours ago, Maurice Naggar said:

It is not possible to know how this machine got infected. There just is not a unified global log on the machine that would have the answer.
But one can point to the most typical ways. Maybe someone attached a infected USB-thumb-flash drive. There are always the other typical ways:
Being too quick on the Click-finger & downloading some free thing. or a drive-by intrusion when using a web browser thru a infected or compromised website. Or, downloading a hack tool to get around paying for a software app. Opening attachments from a Email ( without first scanning it with antivirus) is often a avenue for infection.

I see, thank you for this explanation. I really do not think that I have done any of these things as I only used this pc to play some (mainly Steam) games and watch Youtube and I doubt my grandmother has either, because she pretty much only uses it for online banking. I understand that we cannot find out how the computer got infected but was there an indication for when the file got on this pc ? That would help me pinpoint if it was my doing or not =)

Additionally I would really like to know what sort of malware this is and what sort of negative consequences it caused my grandmother or me. Like I mentioned my grandmother mainly uses it for online banking and on top of that I have helped her log in to some government services websites which obviously contain personal information. As for myself I think the only thing I have logged into on this computer is my Steam account... Oh and Trip Advisor! It is not impossible that I would have logged into my email using this computer but I don't think I've done that.

So I am a little bit concerned but more than concerned I am really curious about what this is and what it has done. It would be really cool if you could help me find out ^^ And also important because on top of just being curious it does ofcourse matter what data may have been at risk.

In any case, thank you so much for your assistance! ^^

8 hours ago, Maurice Naggar said:

You report this machine is a second-hand machine. Did someone erase the hard drive & then do a clean new install of Windows 7?

I do not know but I would assume that the seller (not a private consumer but also not an official second hand pc store) would have done that, that seems like standard procedure. I vaguely remember myself having taken a look at it to check if that had been done when grandma first got it but that was years ago and I knew even less then but still, to me it looked like it was a clean install. But I honestly wouldn't trust me on that.🤷‍♀️

 

8 hours ago, Maurice Naggar said:

Be aware this machine has 2 Adobe Flash player apps that are way way obsolete, plus Adobe no longer supports them.
You need to Uninstall both
Adobe Flash Player 21 ActiveX 
Adobe Flash Player 23 NPAPI 

Thank you very much ^^ I will do that. I've been using Iobit uninstaller to get rid of things "completely" as it advertises. Would you recommend me to do that now with these two apps and is it okay to keep doing it in the future with normal programs that I want to uninstall or is it totally overkill ?

 

11 hours ago, Maurice Naggar said:


Please also be very conscious that Windows 7 is very much unsupported by Microsoft.  It has not been getting security updates.  This operating system is at risk of future infections due to the Operating System being unsupported.  Windows 11 & the upcoming Windows 12 operating systems are much more secure.

Thank you for the warning but I do not think upgrading the OS is an option for my grandmother. She is 85 and might find anything Windows 7+ to be confusing. Still, I will look into it ^^ Thank you for the advice. You do not mention Windows 10 though, is Windows 10 also no longer secure ?

 

Thank you very much for the custom script. I read through everything and I do not have any questions. I will follow your instructions and run the script soon ^^
Thank you for all your advice!

Link to post
Share on other sites

Hello again! ^^

it finished running after about 12 minutes. Im wondering if this is normal ? Since you told me to have lots of patience I expected several hours haha ^^

Out of curiosity, do you know who and why did someone else download the fixlist.txt file that I understand is only really useful for fixing things specifically on this computer ? ^^ (I am assuming someone else did so because it appears to have 3 download and only one of them is me ^^)

In any case, here is the Fixlog.txt

Thank you ^^

Fixlog.txt

Link to post
Share on other sites

Thank you for the Fixlog report.  The run is good.  I had not intended to imply it would run a long time.  I only meant to be patient on the run.

The Windows System File Checker ( SFC ) ran and that result is good. It checked the integrity of some Windows system files.  That result is good.

The temporary sub-folder where the suspect file had been located is removed.

Just by the way, Windows 10 is more secure, but this hardware will not support it.

Just also by the way, I do not personnaly recommend any "Iobit" app.  Instead, I would only just use the Windows tools built in to do what is needed.

For example, to uninstall the Adobe Flash:

.Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.

3. The Programs and Features window will appear.   Locate on the list "Adobe Flash Player 21 ActiveX ".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Then look for "Adobe Flash Player 23 NPAPI ".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

When completed, Exit Programs and Feautures.

.

Now do a new scan with Malwarebytes for Windows.   Advise me of the result.

Locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

  • 4 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.