Malwarebyte didn't fully remove Malware that hid when opening Task Manager

[Cetto03]

Hi!

A few weeks ago I downloaded a few "cracked" documents which I think carried some Malware. I say this because the day after that happened my computer's fans would go overdrive as soon as it was turned on; and they'd never stop. I realized that when I opened Task Manager the CPU would cool down again and the fans would ultimately stop; but, as soon as I closed Task Manager they would amp up again. 

-Note: The cracked documents were deleted the same day I downloaded them.

I read in a few forums here about the malware that can hide from Task Manager, so I downloaded Malwarebyte and scanned my computer; as I thought, it did have a lot of malware ".exe". After placing these malware on quarantine I deleted them from my computer, all seemed fine but after just a few hours of working on my computer the fans ramped up again, and when opening TM they would calm down again, getting me back to square one. I opened up Malwarebyte and scanned again, but this time it says it's clean, as in that I successfully deleted the previous malware detected. If this is so, then why is my CPU overheating as soon as I turn my computer on? Is there another malware hiding that Malwarebyte can't detect?

Please help,

Thank you kindly!

P.S.: I'm attaching the initial scan I did before deleting the malware from my computer.

MALWARE.txt FRST.txt

Edited January 3, 2022 by AdvancedSetup
Corrected font issue

[AdvancedSetup]

Hello @Cetto03

Please temporarily uninstall Avast antivirus and restart the computer. Then run the following scans.

 

SCAN 1

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

SCAN 2

Let me have you run a different scanner to double-check.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Thank you

 

[Cetto03]

Hello AdvancedSetup,

I've done everything that was required. I'll attach the logs from bothe scans. One question, after everything is fixed is it ok to reinstall the Avast Business antivirus?

Thank you!

msert.log ScanLog ESET.txt

[AdvancedSetup]

Yes, once we're all done you can reinstall Avast.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[Cetto03]

Done. Still, after every scan it says that no threats were found. I'll attach my logs.

Thank you.

P.S. Earlier I tested my computer by turning it on and leaving it alone for a few minutes, and just as before, the fans ramped up as if I were using it heavily.

Addition.txt FRST.txt AdwCleaner log.txt Malwarebyte log.txt

[AdvancedSetup]

Definitely something strange going on. This is a critical part of Windows.

Error: (04/01/2022 04:38:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User:)
Description: Could not schedule the software protection service to restart at 2121-12-11T22: 38: 38Z. Error code: 0x800706BA.

Error: (04/01/2022 02:42:41 PM) (Source: Wininit) (EventID: 1015) (User:)
Description: Critical system process C: \ WINDOWS \ system32 \ lsass.exe failed with status code c0000005. The computer should now restart.

 

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

 

[Cetto03]

Done, it scanned everything but it found no threats.

However, when I open "details" it gives me this:

 

[AdvancedSetup]

Please try the following @Cetto03

 

[Cetto03]

Done, I'll attach the logs in this reply.

Malwarebyte log 2.txt system-log.txt mbar-log-2022-01-05 (16-35-11).txt

[AdvancedSetup]

Nothing found. Let's try one more scanner.

 

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

• If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
• Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

• Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

• Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

• The Virus Removal Tool scans the following areas of your computer:
• Memory, including system memory on 32-bit (x86) versions of Windows
• The Windows registry
• All local hard drives, fixed and removable
• Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

[Cetto03]

Done, I'll attach the log.

SophosScanAndClean_20220105_1738.log

[AdvancedSetup]

I doubt there is anything wrong with this file but it showed up in a couple scanners.

Please open https://virustotal.com

Then choose File and upload this file and have them rescan it.

C:\WINDOWS\system32\drivers\stornvme.sys

 

Then post back the link to VirusTotal

 

[AdvancedSetup]

Click on  START - RUN and type in SIGVERIF and click OK

 

This is a Microsoft File Signature Verification program that will check the status of some files for us.

• Click on the  START button and let it run. 
• It will popup a box when it's done to show the status, you can close that box.
• Close the  File Signature Verification application.
• On Windows 7 / 10 find and attach the file C:\Users\Public\Documents\SIGVERIF.TXT to your next reply.
• DO NOT post the log directly into your reply, attach the file please.

 

 

 

Edited January 6, 2022 by AdvancedSetup
Updated information

[Cetto03]

Here is the link to virustotal: VirusTotal - File - 8b31ebf13c4b04486031d35e517a22c435ba84c35cb6e0dc3c7bc7c4dfba5496

And here I'll attach the log. The log is in spanish, please let me know if you'd like for me to set up my computer to english.

SIGVERIF.TXT

[AdvancedSetup]

Thank you again @Cetto03

 

I'm not saying the information below is the issue but something is odd on this computer.

 

My copy of this file is signed

opencl.dll               12/15/2021     3.0.1.0             Signed              nv_disp.cat         Microsoft Windows Hardware Compatibility Publisher

Your copy is not signed

opencl.dll               05/06/2021     3.0.1.0             Sin firma           N/D                 

You also have many other unsigned files from some application.

[c:\windows\system32\driverstore\filerepository\helloface.inf_amd64_740102fec05a8397]
facedetectorresource     16/11/2021     Ninguno             Sin firma           N/D                 
faceprocessor.dll        16/11/2021     Ninguno             Sin firma           N/D                 
faceprocessorcore.dl     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionengin     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionsenso     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionsenso     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionsenso     16/11/2021     Ninguno             Sin firma           N/D                 
facerecognitionsenso     16/11/2021     Ninguno             Sin firma           N/D                 
facetrackerinternal.     16/11/2021     Ninguno             Sin firma           N/D                 
helloface.dll            16/11/2021     Ninguno             Sin firma           N/D        

I realize this is supposed to be a Microsoft application and is used to sign into your computer. If something is that important then I'd think for sure those files would be signed.

https://thegeekpage.com/windows-hello-face-is-not-working-in-windows-10/

 

How was this computer originally setup, installed? Did you use 100% genuine Windows 10 installation media directly from Microsoft?

 

 

Edited January 7, 2022 by AdvancedSetup
Updated information

[Cetto03]

Yes, this computer was provided by my bosses where I work at. The installation was done by the IT people at the company and I (being there) can confirm it was all legitimately set up (100% genuine windows 10).

I've had this same computer for about 4 years, I never had any issue until I downloaded the "cracked" documents I mentioned at the beginning of this post.

The odd thing is that the first scan I did with malwarebyte DID find a few Trojan Viruses. After quarentine and deletion it started working fine, but just for a few hours.

[AdvancedSetup]

Please run the Farbar program again and click on the SCAN button. Post back both new logs.

• FRST.txt
• Addition.txt

 

Thanks @Cetto03

 

[Cetto03]

Of course. And here are the logs.

FRST.txt Addition.txt

[AdvancedSetup]

Thanks again @Cetto03 for the logs.

Well the good thing is those files are not listed as an issue today. But, for some reason Notepad which is a very basic program faulted.

 

Error: (01/05/2022 09:26:08 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: El programa Notepad.exe (versión 10.2103.6.0) dejó de interactuar con Windows y se cerró. Para ver si hay más información disponible sobre el problema, comprueba el historial de problemas en el panel de control de seguridad y mantenimiento.

Id. de proceso: f68

Hora de Inicio: 01d80248774dfb05

Hora de finalización: 5

Ruta de la aplicación: C:\Program Files\WindowsApps\Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe\Notepad\Notepad.exe

Id. de informe: ba009dc5-8e57-46bd-adb1-20db813c95a1

Nombre completo del paquete con errores: Microsoft.WindowsNotepad_10.2103.6.0_x64__8wekyb3d8bbwe

Id. de la aplicación relativa al paquete con errores: App

Tipo de bloqueo: Unknown

 

 

These are from yesterday and they did not show up again today.

 

Error: (04/01/2022 04:38:38 PM) (Source: Software Protection Platform Service) (EventID: 16385) (User:)
Description: The software protection service could not be scheduled to restart at 2121-12-11T22: 38: 38Z. Error code: 0x800706BA.

Error: (04/01/2022 02:42:41 PM) (Source: Wininit) (EventID: 1015) (User:)
Description: C: \ WINDOWS \ system32 \ lsass.exe critical system process failed with status code c0000005. The computer should now restart.

 

Please shut down the computer and leave it off for a few minutes. Also unplug the power from your network router and leave it off for a couple minutes.

Then plug the router back in and wait about 3 minutes. Then turn the computer back on again and run the Farbar scan again and post new logs. We'll see if any new errors crop up.

 

[Cetto03]

I left my computer off and the router disconnected for the whole night. I just ran the Farbar scan, I'll attach the logs.

FRST.txt Addition.txt

[AdvancedSetup]

Okay, so no other errors today about those items. I think we can assume it was just a transitory temporary issue.

What does keep coming back though is the following which indicates there is another computer with the same name on your network.

 

Error: (06/01/2022 09:01:45 AM) (Source: Server) (EventID: 2505) (User:)
Description: The server could not bind to the transport \ Device \ NetBT_Tcpip_ {B7C014E7-772F-46C9-8850-643C9ECFAA84} because another computer on the network has the same name. The server cannot be started.

Error: (06/01/2022 09:01:16 AM) (Source: Server) (EventID: 2505) (User:)
Description: The server could not bind to the transport \ Device \ NetBT_Tcpip_ {B7C014E7-772F-46C9-8850-643C9ECFAA84} because another computer on the network has the same name. Unable to start the server.

Error: (06/01/2022 09:01:15 AM) (Source: Server) (EventID: 2505) (User:)
Description: The server could not bind to the transport \ Device \ NetBT_Tcpip_ {2A6BFF69-B9EE-4AD7-A813-6A568D27BB01} because another computer on the network has the same name. The server cannot be started.

 

Your current computer name: DESKTOP-7B0RFLC

If this is a business computer that is joined to a Domain then you'd probably need your IT Support team to rename your computer.

If it's a home computer and not joined to a Domain then you can change the name on your own.

https://www.thewindowsclub.com/change-computer-name-windows-10

 

[Cetto03]

I decided to restore my computer to its factory settings. I still have every file backed up from before it got infected. However I'd like to thank you for your help! I am thinking of dropping Avast Business and start using Malwarebyte's Antivirus, I was rather pleased with how quick it detected the Trojan viruses.

Thank you again Root Admin!

[AdvancedSetup]

You're quite welcome @Cetto03

I will go ahead then and close your topic and wish you the best.

Take care and stay safe out there.

 

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
3. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
4. Install a content blocker for your browser. Malwarebytes Browser Guard (Free)
   Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/  
   Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee 
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

 

Thank you for using Malwarebytes or working with us to help you.

Cheers

 

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you