Jump to content

Fake Malwarebytes Security Alerts.

bediascruz

By bediascruz
in Resolved Malware Removal Logs

 Share

Recommended Posts

bediascruz

bediascruz

Posted
Posted (edited)

Hello Community,

I recently faced a security incident, impeccably conducted by a member of this Community. The history of the problem can be viewed HERE.

 

Three days after the issue was resolved, Google Chrome and Microsoft Edge returned to dramatic crashes. I chose to remove them from the System, remaining only with the Mozilla Firefox Web Browser, running without problems.

After these steps everything seemed to run normally, until Malwarebytes began to display alerts of flaws in the application settings —, FALSE alerts, beginning to affect the operation of Mozilla Firefox with occasional crashes.

 

The following ALERT appears on the Malwarebytes home screen:

 

“Careful, you're not fully protected Some securiry issues mat need your attention.

View details.”

 

The recommendation for details informs:

 

“Let's tidy up your security settings. To improve your security, we recommended the following changes.”

— Firewall is turned Off

— Real-Time protection

— Softwares Updates

— Device Scans

 

They are FALSE ALERTS!

 

— System Security settings tell you that Windows Defender Firewall and Network Protection are ON.

 

— Reviewing malwarebytes security settings I notice that there are no problems. Malwarebytes DOES NOT SAVE the applied fixes.

When you apply Fix to the Firewall, an error screen appears, stating the following:

 

Windows Defender Firewall with Advanced Security on Local Computer. Error opening Windows Defender Firewall with advanced security snap-in.

"You do not have the correct permissions to open windows defender firewall with the Advanced Security Console. You must be a member of the Administrator group or the Network Operator group to perform the task. For more information contact your system administrator. Error code: 0x5".

 

Considering the previous history of the problem, I believe there is no salvation for this PC other than FORMATTING. However, before I can run it, I want to learn as much as Possible from this incident, which is why I created this new post.

Christmas greetings from Brazil.

 

Tela inicial de advertência do Walwarebytes.jpg

Malwarebytes report Firewall Dewsativado.jpg

Erro ao abrir De3febder Firewall com sefurança avançada.jpg

Configurações Avançadas do Windows defender firewall.jpg

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites
bediascruz

bediascruz

Posted
  • Author
Posted
On 12/23/2021 at 1:41 PM, bediascruz said:

Hello Community,

I recently faced a security incident, impeccably conducted by a member of this Community. The history of the problem can be viewed HERE.

 

Three days after the issue was resolved, Google Chrome and Microsoft Edge returned to dramatic crashes. I chose to remove them from the System, remaining only with the Mozilla Firefox Web Browser, running without problems.

After these steps everything seemed to run normally, until Malwarebytes began to display alerts of flaws in the application settings —, FALSE alerts, beginning to affect the operation of Mozilla Firefox with occasional crashes.

 

The following ALERT appears on the Malwarebytes home screen:

 

“Careful, you're not fully protected Some securiry issues mat need your attention.

View details.”

 

The recommendation for details informs:

 

“Let's tidy up your security settings. To improve your security, we recommended the following changes.”

— Firewall is turned Off

— Real-Time protection

— Softwares Updates

— Device Scans

 

They are FALSE ALERTS!

 

— System Security settings tell you that Windows Defender Firewall and Network Protection are ON.

 

— Reviewing malwarebytes security settings I notice that there are no problems. Malwarebytes DOES NOT SAVE the applied fixes.

When you apply Fix to the Firewall, an error screen appears, stating the following:

 

Windows Defender Firewall with Advanced Security on Local Computer. Error opening Windows Defender Firewall with advanced security snap-in.

"You do not have the correct permissions to open windows defender firewall with the Advanced Security Console. You must be a member of the Administrator group or the Network Operator group to perform the task. For more information contact your system administrator. Error code: 0x5".

 

Considering the previous history of the problem, I believe there is no salvation for this PC other than FORMATTING. However, before I can run it, I want to learn as much as Possible from this incident, which is why I created this new post.

Christmas greetings from Brazil.

 

Tela inicial de advertência do Walwarebytes.jpg

Malwarebytes report Firewall Dewsativado.jpg

Erro ao abrir De3febder Firewall com sefurança avançada.jpg

Configurações Avançadas do Windows defender firewall.jpg

As I reported in my previous Post, I faced a security issue with my PC, whose history can be consulted HERE: https://forums.malwarebytes.com/topic/281868-how-to-remove-pupoptionallegacy/

Seeking to solve the problem on my own, I re-run the Malwarebytes SupportToll in ADVANCED MODE using the CLEAN function and then the REPAIR SYSTEM function after Malwarebytes has been reinstalled. I was surprised — Malwarebytes, after running SCAN presented the home screen stating that everything was OK.

 

After about two minutes, the Windows notification area shows pop-ups stating that antivirus protection and Windows Defender Firewall are DISABLED. I started Malwarebytes again by noting that the home screen had been CHANGED, stating that the security settings were not active, requiring intervention, the same occurring with defender firewall settings. I ignored the actions requested in the Windows pop-ups and Malwarebytes, performing a Check-Up on the system security settings, checking:

 

— Antivirus protection

— Firewall

— App and browser control (Windows smartscreen)

 

THERE was NOTHING demanding attention! The settings were perfect, signaling that both malwarebytes warnings and warnings from Windows system notification area pop-ups were FALSE. I concluded that I was facing a conflict between pc security applications, certainly caused by unresolved infection, not investigated in depth.

 

I chose to rerun the Microsoft Safety Scanner tool, this time running in FULL SCAN mode, resulting in a wait of almost 10 hours of scan (previously had run a QUICK SCAN). At the end of the process, four instances of file infection were detected, identifying the presence of Threat VirTool:Win32/DefenderTamperingRestore and Removed.

 

The Log generated by the Microsoft Safety Scanner reports that this Threat has been removed, but the symptoms remain. In addition to what has already been done.

What can we do to restore the health of the system?

 

Security OK.jpg

Windows fake notifications .jpg

Security requires attention .jpg

msert.log

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @bediascruz

As said the Security Advisor is in development and we continue to correct reported issues. Let me have you gather some logs for me and we'll see what we can do to assist and see if there really is an issue or not.

 

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

 

Thank you

 

  • Thanks 1
Link to post
Share on other sites
bediascruz

bediascruz

Posted
  • Author
Posted
6 hours ago, AdvancedSetup said:

Hello @bediascruz

As said the Security Advisor is in development and we continue to correct reported issues. Let me have you gather some logs for me and we'll see what we can do to assist and see if there really is an issue or not.

 

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

 

Thank you

 

 Hello
Thanks for your precious cooperation.

 

 

Addition.txt FRST.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @bediascruz

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
CCleaner (most computer experts no longer recommend this program)
 

 

 

The logs show that the system is running one or more P2P torrenting programs.

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is very much illegal, and there is always a chance of getting caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. We have seen an increase in malware being bundled with software downloads over P2P. Some users have had all their data encrypted via ransomware via P2P.
Please keep in mind when sharing files that you're increasing the risk that your system might get infected. Scan all files prior to running them.

 

Please note that due to the age of this computer it was not designed to run Windows 10 and as such, it may not fully support all operations and nuances of Windows 10. We will do our best to see if we can make it work as well as possible though.

BIOS: Award Software International, Inc. F4 01/05/2011
placa-mãe: Gigabyte Technology Co., Ltd. G41MT-S2

 

 

Windows Defender has had some issues with updating recently. We'll run some cleanup work and see if that helps correct the issue.

 

I'm curious why you're running this. Are you still using some type of software or hardware that requires onboard license protection?

(Flexera Software LLC -> Flexera) C:\Program Files (x86)\Common Files\Macrovision Shared\FlexNet Publisher\FNPLicensingService.exe

 

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

  • Thanks 1
Link to post
Share on other sites
bediascruz

bediascruz

Posted
  • Author
Posted

With respect to your question about FNPLicensingService.exe, it is NOT associated with any Hardware or Software in use on the device. The system logs inform that this file was injected into the system on 02/11/2021, more or less when the first symptoms that gave rise to the problem we are dealing with began.

Your question also made me curious and I wanted to know more about it, reading reports on the Web stating that this file is a Malware disguised.

 

I thought it prudent to inform you about this matter before performing the recommended FRST actions.

I removed Bonjur and CCleaner. Additionally I also did the removal of the P2P software qBitTorrent, which i had been using, perfectly understanding the relevance of its warnings.

A fact you might enjoy knowing —during bonjur removal, Malwarebytes presented malware presence alert.

 

I am ready to proceed with the recommended procedures if I do not have further instructions arising from the above facts. I remain awaiting your orders.

 

Thanks.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Thank you @bediascruz

Well it can be but it can also be legitimate thus why I asked. I've added it for removal to the FIXLIST.txt

Please use this updated FIXLIST.TXT and run the FIX as shown above.

When completed please post back the FIXLOG.txt file.

fixlist.txt

Thank you

 

  • Thanks 1
Link to post
Share on other sites
bediascruz

bediascruz

Posted
  • Author
Posted

Hi

After executing its instructions I notice that Security Advisor reports the need for attention with the Windows Defender Firewall — "Firewall is turned off", which is a FALSE message.
When running Windows Defender Firewall with the Advanced Security snap-in, an error screen appears (Error ox5) stating that the feature is blocked.

When I run the native Defender Firewall — option, “Restore Firewalls to Default”, there is no success. When running the onçine FIX from Microsoft to fix problems with Defender Firewall, the tool reports that it could not IDENTIFY the problem.

I've been using Malwarebytes for over 10 years. It is also installed in my customer base. During this period, this is the second time I have faced a serious incident.
I have received prompt and competent attention from Malwarebytes Support, confirming my complete confidence in this product.
If there is a need to format the device's disk, I will gladly do so with the wonderful knowledge that Malwarebytes support has provided me with this incident.

I remain awaiting your esteemed orders.
Thanks.

 

Fixlog.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @bediascruz

There is not doubt that sometimes a new fresh and clean install of Windows will make the system work much better but is often a time consuming task that most customers do not want to tackle.

We can try a few things to see if we can fix Windows still and if not working then decide to reinstall Windows if wanted.

Please run the following for me.

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please open Regedit.exe and browse to this key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender

Find this entry

DisableAntiSpyware

Change the 1 to a 0    zero

 

Then open an elevated admin command prompt and type the following 

SFC /SCANNOW

 

Let me know what it says @bediascruz

 

  • Thanks 1
Link to post
Share on other sites
bediascruz

bediascruz

Posted
  • Author
Posted

Hello


It was a rich learning, absorbing knowledge and recommendations of high value.
I am immensely grateful to MKDB and you for their competent support.

Malwarebytes Antimalware has been my preferred security application for over 10 years and will continue to be mainly for the impeccable and responsible support offered.

Thanks.

Link to post
Share on other sites
  • 3 months later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept