kelizabeth Posted October 20, 2021 ID:1484690 Share Posted October 20, 2021 (edited) Hi! I am not sure when the file was created, but my quick scan on malewarebytes Premium finished at 12:23pm today and it was clean. Then I visited a website that had a popup ad on it, closed out said ad, and then got anxious and scanned my computer. 1. It found what it labels Backdoor.Quasar and the file and location was: C:\$SYSRESET\SCRATCH\CSRSS.EXE I removed the virus, rebooted. Action says Replaced, so I'm not sure what that is. 2. I did a new quick scan, the results are attached and I did a scan with FRST + Addition and that is also attached. I use premium and I scan my computer honestly too often. I'm in the process of moving all of my files to an external after removing the virus. 3. But I wanted to make sure my computer is clean. And what do you think could have been compromised? I have a few sites I signed into today, but I'm not sure if this type of virus can see those things? 4. Can it access my emails without me viewing them or access a txt file I had open at the time? I did download some packs off of deviantart last night as well that people put out for graphic designers. My adaware cleaner (adwcleaner_8.3.0) found a PUP in the folder? Here: PUP.Optional.CrossAd C:\Users\Kaci\Downloads\ChristmasTextures I didn't see anything in there. There were credit txt files of the uploaders from deviantart and PSD/png files but that's about it. I'll also be restoring my computer to factory settings soon. quickscan.txt Addition.txt FRST.txt Edited October 20, 2021 by kelizabeth Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484693 Share Posted October 20, 2021 Hello @kelizabeth Please run the following The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. The download links & the how-to-run-the tool are at this link at Microsoft https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Please let me know the results of this scan. The log is named MSERT.log the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is C:\Windows\debug\msert.log Please attach that log with your next reply. Thank you 1 Link to post Share on other sites More sharing options...
kelizabeth Posted October 20, 2021 Author ID:1484696 Share Posted October 20, 2021 @AdvancedSetup Hi! Thank you so much for your help! I ran a Quick Scan and I have attached it to this reply I'm really scared of this, I have been a Malewarebytes Premium user for years because of how often I scan my computer. Do you think my text file info or my emails could have been compromised with this? I signed into a few sites today but I'll change the passwords to those I actively signed into and to my email as well (though I didn't sign into it, firefox just kept it logged in) msert.log Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484698 Share Posted October 20, 2021 It's very possible that at some point some new threat took advantage of some exploit or something like that. Please relax and try not to stress out over this. Do not change passwords from this computer until we're done scanning to make sure it's clean. Once we're done we can do that. Let me have you run the following for me. STEP 01 Please download AdwCleaner by Malwarebytes and save the file to your Desktop. Double-click to run the program Accept the End User License Agreement. Wait until the database is updated. Click Scan Now. When finished, if items are found please click Quarantine. Your PC should reboot now if any items were found. After reboot, a log file will be opened. Attach or Copy its content into your next reply. RESTART THE COMPUTER Before running Step 2 STEP 02 Please download the Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens, click Yes to disclaimer. Press the Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time Please attach the Additions.txt log to your reply as well. On your next reply, you should be attaching frst.txt and additions.txt to your post, every time. Thank you 1 Link to post Share on other sites More sharing options...
Root Admin Solution AdvancedSetup Posted October 20, 2021 Root Admin Solution ID:1484701 Share Posted October 20, 2021 Hi @kelizabeth It looks like this was a False Positive. Let me have you get me the following logs from this detection. You can find the Scan and Protection logs from the following You can find Scan and Protection logs within the Malwarebytes 4 program in the following location RTP stands for Real-Time Protection and is where automatic protection operations would normally be logged If you click on the View option you should get something similar to the following with other options available. 1 Link to post Share on other sites More sharing options...
kelizabeth Posted October 20, 2021 Author ID:1484703 Share Posted October 20, 2021 @AdvancedSetup A false positive? Really? Oh thank goodness! I went ahead and scanned again with the adaware program and the farber one and both were the same exact as before, nothing came up on adaware apart from HP preinstalled things. I have attached the exported file in detection history here, does it really look like a false positive? The file is no longer there now though, is that okay? detection.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484704 Share Posted October 20, 2021 Yes, this was a False Positive. You can restore the file if wanted, but the folder really isn't needed. Please see the following and if you have questions or issues still let me know https://www.tenforums.com/tutorials/95043-how-delete-sysreset-folder-windows-10-a.html Thanks @kelizabeth 1 Link to post Share on other sites More sharing options...
kelizabeth Posted October 20, 2021 Author ID:1484705 Share Posted October 20, 2021 Oh my gosh thank you! I will be resetting the system at some point in the future, but this being a false positive has made my day. Thank you so much again! I truly appreciate it so much! @AdvancedSetup I was prepared to reset all passwords and everything, you're the best! I'll look at that and remove the folder too so hopefully no issues in future. Have a great day! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484708 Share Posted October 20, 2021 May I ask why you're doing a RESET? That seems a bit extreme. In most cases if something is that bad it might be better to do a clean install of Windows. 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484710 Share Posted October 20, 2021 If things aren't too bad perhaps I can help you to correct what's going on with the system? @kelizabeth 1 Link to post Share on other sites More sharing options...
kelizabeth Posted October 20, 2021 Author ID:1484712 Share Posted October 20, 2021 My system is just a little slow lately, so I thought I would do a reset, the reset will make be a fresh install of windows later on down the line (I'll move all of my files out of it and onto an external, then do the fresh windows install). My system I believe is all clean, I just wanted to reset it to see if it loads quicker @AdvancedSetup Though firefox eating up most of my CPU could be doing the slowness xD Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484713 Share Posted October 20, 2021 Save your bookmarks. Write down the current extensions you're using. Then in Firefox click on Help -> More Troubleshooting Information Then click on the Refresh Firefox... link. Uninstall the following from Control Panel, Programs, Programs and Features Bonjour Then restart the computer and see if things are better or not. If or when you do decide to do a fresh clean install of Windows here are some links to help. Note: Windows 11 is out as well now but not sure I'd jump on that just yet as it keeps having minor issues reported. Greg Carmack - MVP 2010-2020 -Clean Install Windows 10https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587 How to Create a Local Account While Setting Up Windows 10https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/ Let me know if you need or want anything else @kelizabeth 1 Link to post Share on other sites More sharing options...
kelizabeth Posted October 20, 2021 Author ID:1484731 Share Posted October 20, 2021 @AdvancedSetupI did all of that and updated some drivers, then the HP BIOS update ran when I restarted it. It seems to be running a bit faster now, thank you so much! Also about the false positive, do you think the file was there already and MB just flagged it today randomly? Thank you again so much for all of your help! Those links are a huge help too! I'll keep away from windows 11 for now, I really enjoy windows 10 at the moment Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484734 Share Posted October 20, 2021 (edited) Yes, the FP was due to a rule that triggered on it when it should not have. Completely safe to ignore. If there is nothing else we should be done here. You're quite welcome for the help and information. The closing speech will leave you with a link to other information to help you keep the computer safer as well as your privacy Take care Edited October 20, 2021 by AdvancedSetup updated information 1 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 20, 2021 Root Admin ID:1484737 Share Posted October 20, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you 1 Link to post Share on other sites More sharing options...
Recommended Posts