PyM Posted May 23, 2022 ID:1516794 Share Posted May 23, 2022 i downloaded a file from pop-up ads and ran as administrator. then windows defender detected more than 10 severe virus files and stopped working. File explorer showed a file named "ItsMe" but I didn't open it. I didn't know what to do so I tried to reset but it does nothing. i did advanced startup, cleaned everything and reinstalled windows 11. AV scans no longer detect virus but I think virus is still there. core isolation wasn't enabled so it might be infected. I'm afraid to do projects until i know my files are safe. Any way to know if virus is completely gone? Please help Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 23, 2022 ID:1516795 Share Posted May 23, 2022 Hello @PyM I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. I need more information from this machine. Close as many other apps as you can (that have open screens) before running this report. I would like a report set for review. This is a report only. Please download MALWAREBYRES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop. Please attach mbst-grab-results.zip to your reply The IP block actions by Malwarebytes are keeping the machine safe from potential threats. We do need the support zip reports to see more detail ( the screen grabs just do not have full details + those screens give no clue as to what processes are running. 1 Link to post Share on other sites More sharing options...
PyM Posted May 23, 2022 Author ID:1516802 Share Posted May 23, 2022 mbst-grab-results.zip Thank you. I hope I did correctly. i also wanted to show this screenshot. Is this caused by virus? There are about 20 reports like this. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516865 Share Posted May 24, 2022 Hello. Thank you for the Malwarebytes support tool logs. As to the screen grab from NotonSecurity, all I can tell is what it shows, that Norton blocked some "thing". I am going to have you use other scans & tests, as we go along.Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner Then be sure to close all web browsers. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean Attach the clean log. 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516867 Share Posted May 24, 2022 AdwCleaner[S00].txt sorry I clicked Mark as solution accidently. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516870 Share Posted May 24, 2022 [1] Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. [2] Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occured and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516880 Share Posted May 24, 2022 OnlineScanLog.txt I found too late that my facebook and discord accounts were compromised. I was able to recover discord but not facebook. They changed email and password. I sent ID to facebook. Can you help? Thank you Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516886 Share Posted May 24, 2022 (edited) I cannot help you as regards Facebook. I very much regret to read now that (A) you used Discord and (B) that it appears that Discord "may" have been compromised.Please Exit out of Discord and stay out of it until I give the all clear at the end of this whole case. For your information, Discord is known to be prone to be able to be compromised and can lead to situations where malicious trojans come in; those can be quite hard to fully remove. If you ever got and received any sort of document or attachment or script while using Discord, and "opened" same then that was a way that the system was infected. One of the things I need you to do at this point, is, to ENABLE the System Restore protection for Windows 11. See this article https://www.windowscentral.com/how-use-system-restore-windows-11for the section titled "How to enable System Restore on Windows 11" We only just need it to be enabled. Do not make changes on your own. If you have questions, then Stop and ask me first. Let me know if you possibly have a full backup of this system saved offline from some point well before the first problems cropped up. Let me know if you would just rather prefer to cleanly wipe this whole system, and do a new from scratch new clean setup of Windows operating system. Edited May 24, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516888 Share Posted May 24, 2022 Let me explain. I haven't downloaded or opened any app yet. Virus used chrome and other apps before I reset pc. I'm waiting for "all clear" and I keep pc power off. I used my phone to check discord and facebook. Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516893 Share Posted May 24, 2022 I enabled system restore. I didn't make any backup before. I would like to wipe everything if it'll remove virus hiding deep. Any bad consequences? Thank you Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516896 Share Posted May 24, 2022 Thank you. Just hold on and I will have a script we can run, as a first pass anyway. I have concerns because I spotted in your ealier reports, at least the remains of 2 suspicious old scheduled tasks. Plus your mention at the top that MS Defender has some issues. Rather than the term virus, I would say "potential trojans", if not now, then in recent past. Question: Is the NortonSecurity paid for ? How long has it been installed on this machine ? was it installed after the first problem occurred? Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516904 Share Posted May 24, 2022 I think Norton is built-in because I have reset my pc before and Norton was already installed with 60 day subscription (I didn't pay). I got new 60 day subscription when pc is reset this time. About the screenshot I sent before, I found that Acter was Malwarebytes and Target was some Norton files. Maybe trojan is hidden in Norton files and Norton is protecting the trojan from being detected. Thank you Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516908 Share Posted May 24, 2022 I'm reserving any comments about NortonSecurity till later. Except to say, if NortonSecurity came prebuilt by the computer factory and you have had this machine for longer than 60 days, that the "license" would be expired now. That presumes it was a 60 day trial. In any event and regardless, I would like us to proceed with this next custom run, intending to do cleanups and research as well. Since you did run the support tool, there should be a tool named FRSTENGLISH on the Downloads folder . This script works as one of a pair. This custom script is for PYM only / for this machine only. Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do checks & some cleanups. This is really just housekkeping. We will use FRSTENGLISH on the Downloads folder to run a custom script. The system will be rebooted after the script has run. This custom script has some specific things, plus some general aspect to help the system overall. Hoping it will not exceed 60 minutes in execute time. NOTE-1: This script will run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity. It will rebuild the Winsock. NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. This custom script will also cleanup seeral entries of scheduled tasks that just no longer exist. It will also try to remove what look like 2 old scheduled tasks remains that have earmarks of a infection. Please be sure to Close any open work files, documents, any apps you started yourself before starting this. If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached, please disconnect any of those. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Then, Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRSTENGLISH and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. to run the tool. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. If you receive a message that a reboot is required, please make sure you allow it to restart normally. The tool will complete its run after restart. When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run. Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me. 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516911 Share Posted May 24, 2022 Do I just download Fixlist.txt and not touch it? I forgot to say that Norton is failing to update itself. It shows that update is completed but when I check updates again, it download and install update again. I've tried 3 times now. Is it suspicious? Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516915 Share Posted May 24, 2022 Fixlog.txt Thank you Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted May 24, 2022 Solution ID:1516920 Share Posted May 24, 2022 (edited) The custom Fix script is good. You did well. As to NortonSecurity, it seems to me best for you to uninstall it, unless you actually paid & do have a license from them. I tend to think you do not. I get the impression that this app maybe came preloaded from the computer factory when machine was built. Please understand that the Microsoft Defender antivirus on this Windows is now in good shape. Now to uninstall NortonSecurity. 1. Press & hold the Windows key on keyboard & then tap the R key to open the Run box-window. 2. Type appwiz.cpl and tap Enter. The Programs and Features window will appear. Locate on the list "NortonSecurity". Do a right-click on Norton Security. Then choose Uninstall. Let it proceed. Exit Programs and Features, when done. Now do a Windows Restart. Edited May 24, 2022 by Maurice Naggar 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516924 Share Posted May 24, 2022 Thank you. I uninstalled Norton. Is my pc safe to use now? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516931 Share Posted May 24, 2022 Take a look on the Windows Security gui ( ie, visual user interface) and look at the status shown. 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516932 Share Posted May 24, 2022 This? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 24, 2022 ID:1516934 Share Posted May 24, 2022 That is a good security status display. You can also launch Malwarebytes and take a look there as to the summary on the first screen. I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start button, and then go to Settings > Update & Security > Windows Update . and click Check for Updates. Have much patience. 1 Link to post Share on other sites More sharing options...
PyM Posted May 24, 2022 Author ID:1516936 Share Posted May 24, 2022 I scanned with malwarebytes and nothing is detected. all security settings are complete. Windows and others updated. Let me ask questions. Is core isolation in windows security important? Should it be enabled all the time? Thank you Link to post Share on other sites More sharing options...
PyM Posted May 25, 2022 Author ID:1516969 Share Posted May 25, 2022 I check microsoft edge settings and I found that virus set Home button to open a link with weird name. I reset browser settings. Anything I should do? Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 26, 2022 ID:1517177 Share Posted May 26, 2022 Hello. Regret to read that the Edge browser might have a issue as to the Home page. This link https://bit.ly/3sWJxRs is to a Microsoft support article that shows how to set the EDGE browser Home page. Do you use as a guide. That should be rather straight forward. ALSO I would urge you to look at and use this Microsoft guide articlehttps://bit.ly/3yW1jrZ for the section titled "Clear browsing data stored on your computer" What needs to be selected to be Cleared are Browsing history Download history Cached images and files WHEN you get to the part about "Time Range" we must pick the one "For ALL Time" That is from the drop-down menu Be sure to do that. Then, there is another section to do. Do the one for "Clear browsing data stored in the cloud" If there should still be an issue, then two things. ( A ) Run a new scan with Malwarebytes. and let me know the result, and ( B ) Get a new Farbar FRST report: get a set of fresh reports to see what is running, what is active. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. 1 Link to post Share on other sites More sharing options...
PyM Posted May 26, 2022 Author ID:1517179 Share Posted May 26, 2022 Addition.txtFRST.txt thank you Link to post Share on other sites More sharing options...
PyM Posted May 26, 2022 Author ID:1517181 Share Posted May 26, 2022 I checked all settings in edge after sync and reset sync. Malwarebytes scan result is "No item detected". A few minutes ago, I installed discord and epic games (I thought this topic has been solved). But nothing bad happened yet. I'll stop doing anything now. Link to post Share on other sites More sharing options...
Recommended Posts