Jump to content

Presenoke > Computer acting weird despite detection/removal of Presenoke


Go to solution Solved by PRAp,

Recommended Posts

Today, in the morning while accessing a government site that's been acting weird [but was a necessary login]. I've accessed the website thrice in last 3 days. My computer has started acting weird. Screen freeze and in two instances auto shutdown. 

I ran CC cleaner, currently running Windows Security check (W10). While checking the security log, Protection history shows detection and removal of PUA:Win32/Presenoker in  the morning. I read about Presenoker, and the it says it could involve the presence of a Trojan. The windows quick check hasn't turned out anything. What's your say - What should I Do. 

Link to post
Share on other sites

Hello   :welcome:

My name is Maurice.  I will guide you.  Let me know what name you prefer to go by.

In order to begin to help you properly, I will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply.  You may if you wish, ZIP the 2 into a zip file & then attach.
{ just please do not copy, paste their contents in main body of reply box here.)
 

Link to post
Share on other sites

Note. The item detected by Microsoft Defender antivirus is categorized as Potentially Unwanted Application. If that was the only item detected, it is doubtful that a "trojan" was / is involved. But in any case, I will be guiding you to insure ( by running a few other scans) that there is no current malware.
What Microsoft classifies as "potentially unwamted application" Malwarebytes classifies as PUPs, or Potentially Unwanted Programs. PUP or PUA are programs that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. ( Meaning unwanted add-ons.)  PUPs often come bundled with other software that you installed.
These types are a lower type of potential threat.  ( as opposed to a virus, trojan, or other malicious malware).
In any event, the reports that I have asked for 'should' give (hopefully) a bit of detail like folder location and file-name.
The FRST reports are just a first step to gather some very important details about this system. It is just a report. It makes no changes.
I will guide you on next steps after I have it and have reviewed same.

  • Like 1
Link to post
Share on other sites

Thanks.  First, as we go along, I will need you to, as much as possible, make sure you Exit out of any other program you might have open, so that the sole task is to run the procedure or the scan.   That goes especially for web browsers.

Here are the next steps.

[   1   ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[   2   ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on number of files on system.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Oce you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threat as it goes along.  Take a very long break, do do your normal personal errands .....just do not use the computer during this scan.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

Edited by AdvancedSetup
corrected font issue
  • Like 1
Link to post
Share on other sites

Please just let the scan do its thing.  It could well need another 8 hours or more to complete.  Only use the system for things that are a must to do.  "Going online" I am not sure what you meant exactly.

If you mean insuring the system is connected to the internet, then, yes it should be connected.  If on the other hand you mean, for you to use the system, like I said, you can for things that are a must.

Other than those points, there is not something that can speed up the scan run.

Link to post
Share on other sites

P.S. I am unsure why it says started on Nov 10 and finished in today today. This is because, I restarted the scan in the afternoon, after suspecting that yesterday's scan didn't finish properly. The new scan started around 2 PM today, and finished just 15 minutes back. But, the scan report doesn't mention any of that. Can you shed some light?

 

 

Link to post
Share on other sites

4 hours ago, PRAp said:

.. the window said that there were no infections. But, while the while the scan was running, the scan window showed "5 infections found"

That really should not gave displayed "infections" but rather should have said "possible suspects".  The dis[play is a innocent but mis-leading wording.  The Safety Scanner rechecks with the Microsoft Defender Cloud dtabase and resolves the "suspects" in the closing phase.  As I said, only the final result matters.

By the way, about what you "saw" on intermediate displays of the Microsoft Safety Scanner,  I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html

Also, the post by EricYin of Microsoft  ( just below that section)

Quote

 if nothing reported in %SYSTEMROOT%\debug\msert.log, that means no infections.

>

The Safety Scanner log shows it was started 4 times today.

Started On Thu Nov 11 13:57:53 2021

Started On Thu Nov 11 14:10:04 2021

Started On Thu Nov 11 14:35:10 2021

Started On Thu Nov 11 15:31:50 2021

and the bottom line that counts is   
Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu Nov 11 23:12:49 2021

>

We are done with msert.exe.   You may Delete msert.exe.   I will be having you do other different scans later on.  At this point though, a custom scrip fix that should take less than 50 minutes or less.

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  PRAp  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows 10 DISM to check the system integruty. It will also rebuild the Winsock.  It should update the Microsoft definitions for Microsoft Defender. It should run 1 Quick scan of Microsoft Defender antivirus.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.

Stick with me, as we will be running other scans, later. 

  • Like 1
Link to post
Share on other sites

Thank you.  We need to do a new run using a new custom fix script.

PLEASE first delete the old file named) FIXLIST.txt   in the  Downloads  folder 

 

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  PRAp  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will also run the Windows 10 DISM to check the system integruty. 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool.

  •                                                               If the tool warns you the version is outdated, please download and run the updated version.
  •                                                               IF Windows prompts you about running this, select YES to allow it to proceed.
  •                                                               IF you get a block message from Windows about this tool......
  •                                                               click line More info information on that screen
  •                                                               and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.

  • Like 1
Link to post
Share on other sites

PLEASE first delete the old file named) FIXLIST.txt   in the  Downloads  folder 

 

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  PRAp  only / for this machine only.

This custom script is intended to do the remaining parts of the script.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

Please save the (attached file named) FIXLIST.txt   to the  Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish.

Link to post
Share on other sites

Hello.

The run may have slowed the system IF you were using the machine during run --- while the job was running.

When the run has ended, that has no bearing on "slowness".  Once we are all finished checking for malware, and if the machine still seems slow, I can relay to you some actions to take.

>

The custom script run is good  and very worthwhile doing. Next, I would like you to download and install Malwarebytes for Windows so that you then do a swcan with it.  This is another check for potential malware.                See the support article "Download and install Malwarebytes for Windows"
https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

>

Once installed, start Malwarebytes for Windows.

 Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

Link to post
Share on other sites

The Malwarebytes for Windows did find threats.  & removed. PUP.Optional.WinBing + HackTool.KMSpico

HackTool.KMSpico, C:\PROGRAM FILES\KMSPICO, Quarantined
HackTool.KMSpico, C:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\PROGRAMS\KMSPICO

>

For MS Defender

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

>

As to laggy computers, there are several areas that you can look into.
Here are a few links to handy articles
Please know that a slow condition can be due to non-infection factors.

See https://support.microsoft.com/en-us/help/2746761/how-to-speed-up-your-slow-computer

 

See Miekiemoes blog article on slow computer situation

https://miekiemoes.blogspot.com/2008/02/help-my-computer-is-slow.html

 

also, at Bleepingcomputer

https://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/

 

  • Like 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.