windows security keeps allowing threats that i have already removed

[iroh]

i got hacked just recently, and the hacker was able to access most of my social media accounts. I was able to change my passwords so I still have access to these accounts except some which I have deactivated. I also downloaded the trial version of Malwarebytes and it was able to quarantine all the threats that Windows Security wasn't able to catch, so I thought all is good already. Now my trial version of Malwarebytes is over and I've noticed over the past days that there are many allowed threats in Windows Security that keep coming up even when I've clicked the don't allow option the previous day. How should I remedy this ? :(

[1PW]

Hello @iroh and

While you are waiting for the next qualified/approved malware removal expert to weigh-in to your topic, please follow the instructions within this sub-forum sticky above:

I'm infected - What do I do now?

Thank you.

[Maurice Naggar]

Hello @iroh

Please do as suggested above by 1PW.  We need to review the resulting reports so that we can guide you.  I will guide you going forward.

[   B   ]  Please also be aware, that the Malwarebytes for Windows is still able to be used manually, on-demand.  And that it can remove any malware that it does detect.

Look forward to your reports.  Because I'm curious to see juat what is flagged / reported by Windows Security  { a.k.a. Microsoft Defender antivirus }.

Curious to know jusr what are the

many allowed threats in Windows Security that keep coming up

Reports are a must have.  Details help us to help you.

Sincerely.

Edited January 10, 2022 by AdvancedSetup
Corrected font issue

[iroh]

FRST.txtAddition.txt

Hi Here are the reports. Thank  you!

[Maurice Naggar]

Good morning @iroh   I hope you are doing well.  Had you had a "ransomware" prompt / notice / window on or about 20 December? I see a _Readme file that I would like for you to attach in a reply it is at this folder C:\Users\Admin\_readme.txt.  I also noticed a pest running here by the name AdvancedWindowsManager.  I will guide you ( quite soon) on using a custom script to attempt to do some cleanups.  Please make real sure you ( or anyone else that has access to this machine) do not do any online games, instant message apps, nor do any free-wheeling web surfing. Only go to this forum and those sites I guide you to.

[Maurice Naggar]

Hello @iroh 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• ...things can go very wrong!
• Backup
• any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

[   1  ]

Norton Security is supposed to be the resident antivirus application. However, Windows indicates that Norton may have some issues.

Quote

Date: 2022-01-11 12:38:05
Description:
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\SIHClient.exe) attempted to load \Device\HarddiskVolume3\Program Files\Norton Security\Engine\22.21.11.46\symamsi.dll that did not meet the Windows signing level requirements.

^

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[   2   ]

Next, a custom script to do other checks & some other cleanups.

We will use FRST64.exe  on your Dekstop folder   C:\Users\Admin\OneDrive - University of the Philippines\Desktop     to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  IROH  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system.  It will rebuild the Winsock.  

It will attempt to update the Windows Defender antivirus and to run a quick scan in batch mode & to get a diagnostic readout of its status.

NOTE-2: It will attempt to remove a very large number of scheduled tasks that look to be junk or not present. It will attempt to remove any remains of "advancedwindowsmanager"

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   user Desktop  folder

Fixlist.txt

 

Then, Start the Windows Explorer and then, go  to the Desktop   folder.

RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

[iroh]

Hi! Yes, I was hacked on December 20. The virus actually encrypted a lot of my files but I was able to stop it from infiltrating all my folders. Anyway, I've followed all of the instructions. Here are the attachments you've requested. Thank you very much. 
_readme.txtFixlog.txt

[Maurice Naggar]

Thank you. The System File Checker run found some corrections to make & did yhat.  The run overall was as intended. 

 I would suggest that you do this next scan. This is a known respected tool. It will scan for viruses as well as for potentially unwanted applications.   ( P U A  or  P U P ).

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

• When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.     

 

[iroh]

Hi! I've finished running the eset scan. Here's the log report. Thank you. 
eset.txt

[Maurice Naggar]

Among the many items detected & removed by ESET was a trojan - C:\Windows\System32\services32.exe    a variant of Win64/Packed.Enigma.BV trojan. It also removed a huge amount of files named 

_readme.txt

which were the ransomnote files from the encrypting ransomware infection. That ransomware is of the family STOP (djvu)

^

I am going to guide you to doing several different scans. Patience & persistence are called for.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

[iroh]

Hi! Here's the log of the scan. Thank you!
msert.log

[Maurice Naggar]

Hello.    Thank you for the MS Safety Scanner log report. It is a perfect, clean report. No virus ; no malware.

Kindly also run this diagnostic report.  

This next is just a report to check on some Windows services  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

[   2    ]

I would recommend getting a readout report as to update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[iroh]

Hi! Here are the diagnostic reports. Thanks again.

FSS.txtSecurityCheck.txt

[Maurice Naggar]

Hello.   The FSS report is all good.  What follows is from SecurityCheck. You should study and make time to take actions.
--------------------------- [ OtherUtilities ] ----------------------------
NVIDIA GeForce Experience 3.23.0.74 v.3.23.0.74  Warning! Download Update

Python 2.7.13 v.2.7.13150  Warning! Download Update

------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 5.30 beta 2 (64-bit) v.5.30.2  Warning! Download Update
------------------------------- [ Imaging ] -------------------------------
GIMP 2.10.14 v.2.10.14  Warning! Download Update
-------------------------- [ IMAndCollaborate ] ---------------------------
Cisco Webex Meetings v.41.6.7  Warning! Download Update

Discord v.0.0.309  Warning! Download Update

Telegram Desktop version 3.2.5 v.3.2.5  Warning! Download Update

--------------------------------- [ P2P ] ---------------------------------
µTorrent v.3.5.5.46038  Warning! Ad-supported P2P-client.

-------------------------------- [ Media ] --------------------------------
VLC media player v.2.2.6  Warning! Download Update
Audacity 2.4.1 v.2.4.1
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Creative Cloud v.3.9.0.327  Warning! Download Update
Adobe Flash Player 18 NPAPI v.18.0.0.232  Warning! This software is no longer supported. Please uninstall it. 

Adobe Reader XI (11.0.23) v.11.0.23  Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat Reader DC.

---------------------------- [ UnwantedApps ] -----------------------------
Wondershare Helper Compact 2.6.0 v.2.6.0  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

[  ALSO ]

Let me know how the overall situation is at this point.  Let me know if you need other help.

[Maurice Naggar]

Hello.  

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you