Jump to content

Undetectable Virus or am I just crazy?


Ricked
 Share

Recommended Posts

Hello, I feel as if my PC has an undetectable virus or remote user accessing my system which is causing unstable system performance. System performance degrades over time without any spiking temps or processes. Whenever I try to open the Steam app I get "phantom" clicks in which the application won't start until I double click it twice. Whenever I open task manager I get a CPU spike to 100% initially when I open the application that then disappears. Today, I ran a Malwarebytes scan which found and quarantined a malware.sandbox.7 file. Upon restarting from the quarantine process my system hung at the restarting screen causing me to force shut down the PC. Afterwards I ran an AdWare scan and removed a PUP without issue. Please see the attached Malwarebytes scan, Adware Scan, and FRST scan.Addition.txtFRST.txt

AdwCleaner PUP removed.txt MWB 1.txt

Link to post
Share on other sites

  • Root Admin

Hello @Ricked

I'm off work but please run the following for me and I'll try to check back with you later tonight

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Ricked

There is something going on with the system that is causing issues as shown from the Event Logs.

 

System errors:
=============
Error: (11/09/2021 02:46:42 PM) (Source: imbdrv) (EventID: 4) (User: )
Description: Event-ID 4

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Content Protection HECI Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Graphics Command Center Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Presentation Foundation Font Cache 3.0.0.0 service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) PROSet Monitoring Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Realtek Audio Universal Service service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 0 milliseconds: Restart the service.

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The Intel(R) Dynamic Application Loader Host Interface Service service terminated unexpectedly.  It has done this 1 time(s).

Error: (11/09/2021 02:42:58 PM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The NVIDIA Display Container LS service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 6000 milliseconds: Restart the service.

 

 

 

Please consider changing your default DNS Sever settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

 

 

Please run the following fix and post back the FIXLOG.txt file.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Many thanks for the assistance @AdvancedSetup!

I have followed your recommended steps without issue. DNS server has been altered within the Router's settings and passwords have been moved to a password manager.

I think I forgot to turn off my real time virus protection when running the fix; I'm not sure if that affected anything, except for maybe the checkdisk function upon reboot.

Please see the attached Fixlog.txt from FRST.

Thanks again!!

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

The fix says it was able to correct some issues

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please run the following scan from Microsoft @Ricked

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

When that scan has completed please run the following as well

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Hello, many thanks again for the help @AdvancedSetup! Apologies for the delay in response, I was away from my PC most of the day.

I completed both of the scans as requested, please see the attached logs. Something odd I noticed was during the full system Microsoft Safety Scan; 2 files were detected as infected while the scan was running. However, upon completion of the scan it reported no infected files. Not too sure what to make of this. Additionally, the safety scan seems to suggest that my network/PC is being accessed remotely?

 

msert.log SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

That's normal for the Microsoft Scanner. Perhaps they'll change that behavior at some point, no threats found.

Malwarebytes is out of date. Please check for updates

 

Please update as needed the information below as well


------------------------------ [ ArchAndFM ] ------------------------------

WinRAR 5.71 (64-bit) v.5.71.0 Warning! Download Update


-------------------------- [ IMAndCollaborate ] ---------------------------

Discord v.0.0.309 Warning! Download Update


--------------------------------- [ P2P ] ---------------------------------

qBittorrent 4.1.8 v.4.1.8 Warning! Download Update

 

Thanks @Ricked

Link to post
Share on other sites

Many thanks for your continued help!

I have updated the applications as indicated. After updating Malwarebytes via the application I ran the SecurityCheck again and it still indicates that the Antivirus Firewall is still out of date. Do any additional actions need to be taken at this time?

Link to post
Share on other sites

I do not believe so, you have significantly helped me these past few days and have given me peace of mind!

I really appreciate the fix for the corrupted files within my system; it is most likely the result of these corruptions that was causing my odd system performance.

I will make sure to keep applications updated as much as possible to prevent possible security flaws within my system.

Thanks again!!

Link to post
Share on other sites

  • Root Admin

Let's go ahead and do some clean-up work and remove the tools and logs we've run. @Ricked

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please attach that file to your next reply. (not compulsory)

 

  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
    https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
  2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
    Firefoxhttps://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
    Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.