Jump to content

Undetected malware is searching my laptop drives - Toshiba Satellite, W10


Go to solution Solved by AdvancedSetup,

Recommended Posts

Toshiba Satellite C55-B with Windows 10 Home, which is updated. I browse using Brave, which is current.

I have MBAM 3 Premium (up-to-date) and let it scan my laptop early this month (scan attached). Although it took 3 days to run, and got slower the longer it scanned, nothing was detected. I also have active protection from the now-unsupported WinPatrol, and passive protection from BrightFort's SpywareBlaster, which I updated a few days ago.

Sometimes, I notice that MBAM 3.0 is not running and  it can be slow to run from the desktop or start menu, or even difficult to get it running from the systray if it loaded. I have also noticed that entering text into webforms on various types of websites coincides with significant lag in that task, which makes me suspicious of...keylogging?. I thought it was Grammarly, which I uninstalled and noticed a temporary improvement, but it started happening again.
 

Over the last few days, I've noticed something attempting to access my (empty) DVD drive (which also means it's accessing my ext. HDD, I'd bet) when there is no reason for that to happen. I'm aware that such a search is a common indicator of malware. 

Late last month I purchased what I thought was a legit copy of W10 Pro but, after starting to install it, I discovered that it was W10 Home and aborted. The key was one for W7 (according to MS). This may also have been a source of trouble.

FYI, Zelotes is the brand name of my vertical mouse. Zelotes is not on the MBAM allow list. I seem to recall disabling it from startup using CCleaner, but it shows as being active. It's Russian, I think, so it might be suspect. I just got a message from Windows Security that some of the exploit security on this laptop had been disabled, so I enabled it. None of the protection modules in MBAM were off, though. I then checked Zelotes' monitor.exe on VirusTotal and noted these two results (https://www.virustotal.com/gui/file/6893b6458a44112fe09bb835abc969e2770cb07ae4b64c4de91939fdcf66f78b):

Malwarebytes  MachineLearning/Anomalous.100%

SecureAge APEX    Malicious

 

Scanning that folder directly with MBAM yielded no results. I have attached the requested MBAM and FarBar scan reports.

I realize that you're probably very busy helping people. Thank you in advance!

 

 

 

Addition.txt FRST.txt MBAM weekly auto-scan 1-24-22.txt MBAM custom scan 1-5-22.txt last MBAM daily quick scan 1-26-22.txt

Link to post
Share on other sites

  • Root Admin

Hello @GlennM2

Please go to Control Panel, Programs, Programs and Features and uninstall the following

  • Bonjour
  • CCleaner Browser
  • CCleaner (computer experts no longer recommend this program)
  • Defraggler (Windows 10 already implements an automated scheduled task to defrag)
     

 

Note: You actually have Malwarebytes version 4.5.2.157 installed, not version 3 but that's a good thing.

 

Note: Keepass has been updated to version 2.50
https://keepass.info/news/n220109_2.50.html

 

Up to you but the following programs are probably not offering you much in value since you're already running Windows Defender and Malwarebytes

You may want to consider possibly uninstalling the following software, but the choice is up to you.

Spybot - Search & Destroy
SpywareBlaster
SUPERAntiSpyware

 

Please note that you have the following software installed which monitors startup items. Make sure that it's not negatively impacting what you're seeing.

HKU\S-1-5-21-2671556279-2552627736-255334404-1001\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1223560 2017-05-07] (Ruiware, LLC -> Ruiware)

 

 

Are you still running this Canon BubbleJet printer from 2008?

HKLM\...\Print\Monitors\Canon BJ Language Monitor MP620 series: C:\Windows\System32\CNMLM9D.DLL [279040 2008-10-09] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)

 

 

CHR Notifications: Default -> hxxps://agar.io; hxxps://app.atolia.com; hxxps://app.synaps.net; hxxps://app.usercrowd.com; hxxps://calendar.google.com; hxxps://chat.pangian.com; hxxps://cliq.zoho.com; hxxps://community.windows.com; hxxps://connect.zoho.com; hxxps://drive.google.com; hxxps://hackproductivity.slack.com; hxxps://meet.google.com; hxxps://outlook.live.com; hxxps://remotive.slack.com; hxxps://samepage.io; hxxps://supportdriven.slack.com; hxxps://synaps.net; hxxps://teams.microsoft.com; hxxps://twist.com; hxxps://www.facebook.com; hxxps://www.freecodecamp.org; hxxps://www.jobilize.com; hxxps://www.moxtra.com; hxxps://www.youtube.com

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. They are miles ahead of SuperAntispyware blocking

Malwarebytes Browser Guard

uBlock Origin

 

 

 

Please temporarily disable antivirus real-time protection and run the following fix

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
Updated information
  • Thanks 1
Link to post
Share on other sites

 

 

 

 

@AdvancedSetup Hi there and thank you for responding so quickly!

 

  1. I was unable to uninstall Bonjour. It claimed that there was a problem with the Windows Installer. image.png.913fe3a65e5aea5384029d67713bd87c.png I attempted to uninstall it twice.
  2. I removed the 3 Piriform products. Did you also want me to remove Piriform's Recuva? I've been feeling dubious lately about CCleaner because it has become more intrusive. I had it in the systray and it would periodically open by itself in a "you-can't-close-me-till-you-look-at-me" way, and I don't like obnoxious behavior like that. I'm also not excited about AVG. The good news was that the browser gave me the option to delete my browsing history. I don't really use CCleaner Browser unless I'm having a problem with a site not working on Brave.
  3. FYI, I had Defraggle because the old Windows defrag program was so obnoxiously slow. If I need to do a manual defrag in the future, do you recommend anything?
  4. Sorry about writing MBAM 3. I forgot I'd updated it.
  5. I use the MBAM browser add-on on both Brave and Chrome, although I rarely use anything other than Brave (and, when forced by Windows, Edge) to browse. Chrome's just there for emergencies, but I'd be happy to remove it if you think it's warranted given how intrusive Google is.
  6. I have tried Ghost, Disconnect, uBlock Origin and NoScript. Of them all, I've had the least trouble with NoScript, and it has been the easiest to modify what is and isn't blocked. There are sites that won't work, even if I disable the others for that entire site, with the other products. Are you aware of any reasons why NoScript can't be trusted?
  7. I only have SAS and Spybot S&D as back-ups in case of emergency so, unless you feel that they are a problem, I'd like to keep them. In the past (years ago), I've had MBAM (3) be compromised to the point where even Chameleon wouldn't work. Is it ok, do you think, to keep them?
  8. I have SpywareBlaster as an additional line of defense, so I will be keeping it, if that's ok.
  9. 8 hours ago, AdvancedSetup said:

    Please note that you have the following software installed which monitors startup items. Make sure that it's not negatively impacting what you're seeing.

    HKU\S-1-5-21-2671556279-2552627736-255334404-1001\...\Run: [WinPatrol] => C:\Program Files (x86)\Ruiware\WinPatrol\winpatrol.exe [1223560 2017-05-07] (Ruiware, LLC -> Ruiware)?

    I don't know how to find out if it's negatively impacting things. Since Ruiware has abandoned the product, I was wondering if it's counter-indicated to keep WinPatrol?
     
  10. 8 hours ago, AdvancedSetup said:

    Are you still running this Canon BubbleJet printer from 2008?

    HKLM\...\Print\Monitors\Canon BJ Language Monitor MP620 series: C:\Windows\System32\CNMLM9D.DLL [279040 2008-10-09] (Microsoft Windows Hardware Compatibility Publisher -> CANON INC.)

    I removed the printer, which I recently got rid of, and the software associated with it.
     
  11. KeePass updated.
  12. I have push notifications on Brave turned off. I have Chrome and Firefox as back-ups, but I've just turned off their notifications. Some websites have notifications that I need - a lot of the ones you listed are for job searching and for asynchronous communication sites' web-based apps (twist, teams, slack, discord, etc.), which I did an exhaustive comparison of in 2018.

I have not proceeded beyond this because of Bonjour. Please advise whether I should proceed, or do something about Bonjour first. Also, where should I download FRST64?

Thank you for your help!

Link to post
Share on other sites

  • Root Admin

There is no harm in keeping the other security products. Just wanted you to be aware is all.

The Recuva does work some but in my opinion there are other products. It really depends on how serious you are about data recovery. Relying on a free product when something critical needs to be restored may not be wise. However I find that on newer systems it's harder and harder to do data recovery even with paid products.

Please go ahead and temporarily disable antivirus real-time protection and run the FIX above and post back that log @GlennM2 and we'll see what else needs fixing at that point.

Cheers

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

1. Not an issue. We can get it removed after we clean up a bit.

5. I'm not a fan of Google Chrome due to their very aggressive marketing and tracking. If you're sue you want to remove it we can but a normal uninstall from the Control Panel will not remove all of it. I have a script that will remove all of it if you're sure.

6. There is no harm in keeping the other security products. Just wanted you to be aware is all.

9. WinPatrol is not related to recovery software. I only meant that you say you were seeing some unexpected behavior and that if you'd removed something it's quite possible that WinPatrol could have put it back

 

 

Either the logs you just posted are not NEW or you've still not uninstalled the following as they do show in the logs still.

  • Bonjour
  • CCleaner Browser
  • CCleaner (computer experts no longer recommend this program)
  • Defraggler (Windows 10 already implements an automated scheduled task to defrag)

 

 

Please uninstall those and run the FIXLIST.txt with the Farbar program above and we'll continue.

Thanks @GlennM2

 

Link to post
Share on other sites

I just realized that I forgot to put fixlist in the same folder as FRST64. So very sorry!

Yes, please, let's dump Chrome into the trash.

I'd also like to uninstall WinPatrol since you have a good point that it may interfere. I haven't seen anything, but it's been abandoned by Ruiware, who bought it from Bill P.

 

 

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Hello @GlennM2

 

Please temporarily disable antivirus real-time protection and run the following fix

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Please download the FIXLIST.txt file again and run it again. Make sure that antivirus has been disabled.

This is from the current Fixlog you posted. @GlennM2

 

========= Batch: =========

Fixing is terminated due to reaching maximum fixing time of 60 minutes. <==== ATTENTION

 

 

Link to post
Share on other sites

  • Root Admin

Okay @GlennM2 I've created a new updated FIXLIST.txt file.

Please run this one as before and post back the FIXLOG.txt file once completed.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Wow, something wrong on this system. Okay, I've removed most of the clean up routines and have left just a few of the basic clean up items. @GlennM2

Please save this one and run it again. Make sure that ALL security software is disabled first.

 

fixlist.txt

Thank you again

 

Link to post
Share on other sites

18 hours ago, AdvancedSetup said:

Wow, something wrong on this system. Okay, I've removed most of the clean up routines and have left just a few of the basic clean up items. @GlennM2

Please save this one and run it again. Make sure that ALL security software is disabled first.

 

Yes, something is wrong. That's why I came here. :)

I noticed that Google Chrome hasn't been removed. Will we be removing that soon?

I also noticed that, although I removed the Canon MP620 stuff, it's back: Canon IJ Network Scan Utility, Canon IJ Network Tool, Canon My Printer and Canon MP620 series MP drivers.

Bonjour is still present.

I'd like to also remove the HP DeskJet 3700 stuff (including the Product Improvement Study), LogMeIn, Inc products(Go ToMeeting, Go To Opener).

Since WinPatrol is gone, the only active security I have is MBAM 4...

You never commented on Zelotes...

The fix completed.

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Okay, please make sure you've exported bookmarks or whatever you want from Google Chrome and then run the following script.

Once this script runs you will not be able to restore any items from Google Chrome.

 

WARNING!! - DO NOT run this script. This script was written for @GlennM2 only

It will FORCE REMOVE Google Chrome and cannot be undone.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • Root Admin

Thank you that log looks pretty good. That should have removed at least 99% of everything related to Google Chrome. It's possible you might still have some dead link or something pointing to it but that's about it.

Did the external USB drive ever have any programs installed on it or was it just a data dump drive?

 

Link to post
Share on other sites

  • Root Admin

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

Link to post
Share on other sites

3 minutes ago, AdvancedSetup said:

Thank you that log looks pretty good. That should have removed at least 99% of everything related to Google Chrome. It's possible you might still have some dead link or something pointing to it but that's about it.

Did the external USB drive ever have any programs installed on it or was it just a data dump drive?

No, nothing was installed there (unless malware installed itself there).

What about Bonjour and the other stuff I wasn't able to get rid of?

 

Link to post
Share on other sites

  • Root Admin

We'll go over the stuff again. I wouldn't worry about the external drive then. We can scan it later on though if you like.

Please do these 3 steps again.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.