Jump to content

Possible Malware - can't remove please help


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi all, 

I'm in need of your expertise again. I have the free versions of Malwarebytes & AVAST installed but I also have Norton Security and TSDD Killer in one of the folders (just in case). My browser has the Malwarebytes & AVAST extension as well. 

I recently downloaded some mods for Stardew Valley and even though I made sure to scan them, it seems like my laptop is now infected. I tried running AVAST boot-time scan and it wouldn't show the usual icons or a report. I tried running all the scans listed above and they didn't find anything but WIndows Defender popped up and it said they blocked a threat in "C:\Users\press\AppData\Local\Temp" and the scan/notification kept popping up. I tried to run all those applications in Safe Mode as well but they didn't return anything. 

Please help?

Best wishes,

Sarah

Link to post
Share on other sites

Hi  @sarah_sakura     :welcome:      My name is Maurice.

You mention that MS Defender is flagging some thing.  We need to determine what that is & just where it is located & how MS is classifying it.  The report below will help me to do that

I will guide you to getting this cured.   Please follow my guidance.

Please always attach files / reports as we go along.  Do not run other tools on your own.  TDSSKILLER is a old tool that is for limited uses & should not be used by folks unless under guidance of a trained malware removal specialist.   Just do not run other things on your own..

I need a report set for review.   This is a report only.

Please download Malwarebytes MBST Support Tool

 

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the "Add Files" link at very bottom of reply box. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

Hi Maurice, 

Thanks for your help with this. I have attached the zip file below. 

& I had no idea TSDD Killer wasn't for commercial layman use. I can't look into the previous scans done by Windows Defender, it keeps saying my IT administrator doesn't allow it but I reckon its because I have AVAST. 

Best wishes,

Cherry

mbst-grab-results.zip

Link to post
Share on other sites

Hello.  Thank you for the report file from the support tool.  That is very helpful.

I noticed that the recent scans by Malwarebytes had reported no malware.  I notice that the resident antivirus is Avast One Essential. That being so, MS Defender is supposed to be not monitoring since Avast is installed. You did not mention but I am presuming that Avast itself has not flagged or tagged anything. What MS Defender has been flagging are temporary files with .TMP extensions under tke appdata\local\TEMP sub-folder.  Those being all temporary we will delete those.  MS Defender is flagging a exe  file Maplesage.  That one we will upload to Virustotal for analysis.

[    1   ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[     2    ]

I have a custom script below whose main aim is to help a bit on Edge ( like clearing the history cache). I hope that the run will run in under 55 minutes ( speed purely depends on the hardware).

We will use FRSTENGLISH.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Sarah_sakura  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.    

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder

Fixlist.txt

 


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

  • Thanks 1
Link to post
Share on other sites

Hi Maurice, 

I tried to run 3 types of scans on AVAST (Fast Scan, Deep Scan and Boot-time Scan) and they all said they were completed but when I tried to check in the history for the logs, it says there's an error and they couldn't scan all files. I'm afraid this might mean the malware might still be lurking somewhere? 

Additionally, I notice a lag when I'm using my laptop & that has never happened before as well. Tried restarting etc but still slow. Any advice? 

Many thanks,

Sarah

Link to post
Share on other sites

You decribe that you have a difficult time in reviewing scan history on Avast.  You ought to refer that to Avast Support for their assistance.  I would not ascribe or jump to a suspicion that there is some "malware issue".   Just because a app is quirky does not by itself mean presence of "malware".  And slowness & laggy behavior likewise does not equate to infection.  Known trusted security tools are what is used to check for infection.

This is a special one time run to do a different check of this system.   This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.

get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

 

Run the MBAR tool as listed here 

 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.

  • Thanks 1
Link to post
Share on other sites

Thanks. The result from MBAR is fine.  You may delete MBAR.exe  and the desktop sub-folder \MBAR

>

This is a  different special tool to check your pc for viruses, trojans & other malware.

Download Sophos Free Virus Removal Tool  and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.

  • Thanks 1
Link to post
Share on other sites

  • Solution

Thank you for the log. Very glad to read that no viruses were found. Do not fret over the section "could not open".  That is normal & expected. Most of those files were special system files. 

Alright. We are done with Sophos VRT tool.  Now to uninstall it.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.   Locate on the list "Sophos Virus Removal".

Do a right-click on it.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features.

[    2     ]

At this time, I need you to insure that Windows 10 "Fast startup" is OFF  and stays off.   See https://www.tenforums.com/tutorials/4189-turn-off-fast-startup-windows-10-a.html

Then, do a Windows Restart.

[    3    ]

Next,  we want to do a new custom script to insure to empty all Temporary files & also to queue up a Windows CHKDSK run to check on the integrity of the storage on C drive.

If you have a question, stop and ask me first.

We will use FRSTENGLISH.exe   to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Sarah_sakura  only / for this machine only.

First, Delete the prior file named Fixlist.txt   that is on the Downloads folder from before.

This New custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  queu up a CHKDSK to be done as part of its system Restart  and so will take several minutes.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

You are very welcome.

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

 
Then run that ( double click on it) to begin the cleanup process.  

Delete MBAR.exe

Detete the \MBAR fub-folder on the desktop

Any other download file I had you download, you may delete. 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

Stay safe.  I wish you all the best.     :cool:
I am marking this case for closure.

Please review the following for Tips to help protect from infection

All the best to you.  😃

  • Thanks 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.