Jump to content

PUM.Optional.disableMRT


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello.      :welcome:

My name is Maurice.  I will guide you.   

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • ...things can go very wrong!
  • Backup
  • any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

That is the first step.  

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 [   2    ]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Please always attach reports as we go along.

Cheers.

Link to post
Share on other sites

Also, a scan i did earlier today gave me these reportsimage.png, i deleted these files through malwarebytes after this, but after another scan later, this came upimage.png.e1719e6c566e0f6fab72f2137377e049.pngso basically, the virus reinstalls its files, and i can say that i have a virus confidently because all my socials have been hacked, i still have access to them but there have been changes on them.

Link to post
Share on other sites

Good morning. My apologies for overlooking your Saturday replies.  My bad. I had inadvertently overlooked them.  Thanks for sending the PM.

The items tagged by Malwarebytes have to do with 2 registry entries that are set to disable the use of the Microsoft MRT tool, Microsoft Malware Removal Tool from Windows Update.  That will be cleared up;  as well as any entry for "Restoro".  I also noticed on review of old reports, that several branded antivirus apps have been recently added, like Avast + BitDefender.  Please be sure you do not add any more such apps without letting me know.  Stop making changes on your own.  Check with me first.

^

We will use FRST64.exe  on the Desktop folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Phantom23455  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system.  It will rebuild the Winsock.  

It will remove the 2 registry entries that are the source of the PUM.Optional.disableMRT.  That is a "potentially unwanted Modification" and not classified as a virus.

It will remove traces of AVAST antivirus files.  It will remove references to BitDefender tasks or drivers. NOTE: your system is running Norton antivirus +Lifelock so it does not need other A-V apps.  

As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

 

  •  
  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Desktop  folder

Fixlist.txt                 <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Desktop   folder.


Double click on FRST64.exe     and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.  This here is not a one-shot-cure-all.  There will be more to do later.  Stick with me.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello, thank you for the reply, heres the FIXLOG.txt

Also, one thing I have noticed is whenever i open gmail and go to details in the bottom right of my inbox, it shows me that unknown has accessed my acc and I don't know what, my insta acc had followed like 300 random ppl i don't know, my discord was sending scam messages to every dm and server, and there were videos being posted on my youtube without my knowledge, anything related to this?

Fixlog.txt

Link to post
Share on other sites

Good morning. Thank you for the log report. The run did do as intended. Overall a good worthwhile run. We need to do more scans to do additional checks on this Windows machine, We will do different checks with other tools later. Our main focus is hunting for potential malware on this one Windows machine. I will guide you on that.
^
Tell me, do you have other devices or other Windows pcs that you have used to access Gmail? if more than one device, the wording of the message on your Gmail screen or notice matters a lot.  It could simply be that you accessed Gmail yourself on a different device. In which case, the message is just advisory. But anyhow, you should provide the exact text of that notice on Gmail.
If needed, and if you have another machine that you know is Clean, then you could consider changing the Gmail password to a new one using a "strong" passwword. see https://www.lastpass.com/features/password-generator
You can close the ad-window there. That site can help to generate strong passwords which you can then Copy and use for your Gmail & others.
Just be sure you do NOT use the same password on more than one account.
Use different passwrords for each program.
^
On the other apps you mention:  "Insta acc" , "Discord", "Youtube" and any other ....Please stay out of them while we are scanning for malware on this machine. Lets not play online games or do any web-surfing or social apps.
^
Later on, you could change the passwords on them once this machine has been cleared.
^

[    2    ]   Keep going and do these two following steps.  The first one should be real quick.

Please download Rkill from this link and save to your Desktop:

http://download.bleepingcomputer.com/grinler/rkill.exe

 

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please post the log   if you can

Just let me know if this did run.

[     3     ]

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.   This step is not a cure-all.  We have much more work to do later.  Stick with me.

Edited by Maurice Naggar
Link to post
Share on other sites

Thank you for that report from the Microsoft Safety Scanner. It detected an issue with the Windows Hosts file and reports that it replaced it.
Let's get 2 different reports and also I need for you to clarify something you last wrote.
[  1   ]

This next is just a report to check on some Windows services  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

[   2   ]

A different report.   

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files


Click Go and post the result (Result.txt). Attach copy of Result.txt will be saved in the same directory the tool is run.

[  3   ]

Clarify for me the How you see & Where you see   

an "authorized Application" accesses my account

I need specificity as we go along.   We will continue to hunt for malware on this Windows machine.  I am trying to delineate what is or maybe on this machine, as contrated to what is wholly outside of it.

Link to post
Share on other sites

Here are the logs from the scans, also i found that from the details section in gmail (bottom right of the page) which allows u to see the login activityimage.thumb.png.23103429386576e3d0516ee0d8b424c9.pngwhen i click show details, this is what pops upimage.png.11ad8c49a3711dfe041fef1e25edf786.pngThere is nothing in manage account access, so its probably an app on one of my devices, either my phone or my pc, i had scanned my phone which detected a malware and also removed it, but the problem still pursues.

Google also gave me this notice a few days after the hack

MTB.txt FSS.txt

Edited by AdvancedSetup
Removed images with email address in them
Link to post
Share on other sites

Thanks for the reports.   

This ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.

get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.

Disregard the title subject of the topic.

Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

 

when done, I need the MBAR logs.

Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.

 

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.

Link to post
Share on other sites

  • Solution

Thank you;  excellent result from Malwarebytes anti-rootkit MBAR:   no malware / no rootkit.  Please do not use the Norton Power eraser any further.  I was just asking about the normal Norton Security scan. So you are saying that the Norton Security also reports no infection.

^

Next, get & run the latest ( current) Microsoft Malicious Software Removal tool for Windows.

This is something normally a part of the quarterly Microsoft Update.

Download & save MSRT from this link at Microsoft Download Center https://www.microsoft.com/en-us/download/details.aspx?id=9905   
Disregard the top part with what look like ads / promos.  Scroll down & see the Download button
Be sure to first SAVE the file to the Downloads folder or else, to the DESKTOP
When download completed, do a RIGHT-click with the mouse pointer & choose RUN AS ADMINISTRATOR   & allow it to go forward.
IF prompted about are you sure, Reply YES.
Next select QUICK scan.
If malicious software has modified (infected) files on your computer, the tool prompts you to remove the malicious software.
The Malicious Software Removal Tool scan log is located at: C:\Windows\Debug\mrt.log.
Please attach that log with your next Reply
If no infections were found, you will see in your log ( at the very bottom )

Results Summary:
----------------

No infection found.

 

Link to post
Share on other sites

Hello, I had scanned with Norton full scan and power eraser on the first day of the hack, before i submitted a post on this forum, nothing was reported from the full scan and norton power eraser would freeze at 100% processing, after i submitted a post here and got your reply, i haven't touched any of that, also no infections were reported from the scan.

mrt.log

Link to post
Share on other sites

Hello.   Thank you for the MRT report.  A re-assuring result:  no infection detected by the MRT tool.  

 

  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

  • Also, Be sure to let me know, How is the system overall at this point ?
Link to post
Share on other sites

Hi.   Per the SecurityCheck report, these apps need your follow-up action.
NVIDIA GeForce Experience 3.23.0.74 v.3.23.0.74   Warning! Download Update
 
WinRAR 5.91 (64-bit) v.5.91.0   Warning! Download Update
 
Zoom v.5.4.6 (59296.1207)   Warning! Download Update
 
Java 8 Update 301 (64-bit) v.8.0.3010.9   Warning! Download Update
Uninstall old version and install new one (jre-8u321-windows-x64.exe).
Java 8 Update 301 v.8.0.3010.9   Warning! Download Update
Uninstall old version and install new one (jre-8u321-windows-i586.exe).
 
Spotify v.1.1.22.633.g1bab253a   Warning! Download Update
 
Mozilla Firefox (x64 en-US) v.91.0   Warning! Download Update

Link to post
Share on other sites

Hello. Good morning. I hope your weekend is going well. I do believe this system is good to go.  

This next part is to do a tools cleanup.   Before we close the case.    

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • You may attach that file to your next reply. (not compulsory)

[   B    }

Do a new scan with Malwarebytes for Windows.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[ C  ]   Let me know if you need other help on this system.

Sincerely.

Link to post
Share on other sites

  • AdvancedSetup changed the title to PUM.Optional.disableMRT

Thank you. A few other cleanups, in case they are still around. If you see FRST64 on the Desktop ....then ..To remove the FRST64 tool & its work files, do this. Go to your Desktop folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.
^
If these files are still around, go ahead & delete them:
msert.exe

fss.exe

mbar.exe

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.