Jump to content

I ran application file as administrator

PyM

By PyM
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

PyM

PyM

Posted
Posted

i downloaded a file from pop-up ads and ran as administrator. then windows defender detected more than 10 severe virus files and stopped working. File explorer showed a file named "ItsMe" but I didn't open it. I didn't know what to do so I tried to reset but it does nothing. i did advanced startup, cleaned everything and reinstalled windows 11. AV scans no longer detect virus but I think virus is still there. core isolation wasn't enabled so it might be infected. I'm afraid to do projects until i know my files are safe. Any way to know if virus is completely gone? Please help

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello :welcome:   @PyM

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I need more information from this machine. Close as many other apps as you can  (that have open screens) before running this report. 

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. Thank you for the Malwarebytes support tool logs. As to the screen grab from NotonSecurity, all I can tell is what it shows, that Norton blocked some "thing". I am going to have you use other scans & tests, as we go along.Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

[1]

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

[2]

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

I cannot help you as regards Facebook. I very much regret to read now that (A) you used Discord and (B) that it appears that Discord "may" have been compromised.
Please Exit out of Discord and stay out of it until I give the all clear at the end of this whole case.
For your information, Discord is known to be prone to be  able to be compromised and can lead to situations where malicious trojans come in; those can be quite hard to fully remove. If you ever got and received any sort of document or attachment or script while using Discord, and "opened" same then that was a way that the system was infected.

One of the things I need you to do at this point, is, to ENABLE the System Restore protection for Windows 11.
See this article https://www.windowscentral.com/how-use-system-restore-windows-11for the section titled "How to enable System Restore on Windows 11"
We only just need it to be enabled.

Do not make changes on your own. If you have questions, then Stop and ask me first.
Let me know if you possibly have a full backup of this system saved offline from some point well before the first problems cropped up.
Let me know if you would just rather prefer to cleanly wipe this whole system, and do a new from scratch new clean setup of Windows operating system.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites
PyM

PyM

Posted
  • Author
Posted

Let me explain. I haven't downloaded or opened any app yet. Virus used chrome and other apps before I reset pc. I'm waiting for "all clear" and I keep pc power off. I used my phone to check discord and facebook. 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you. Just hold on and I will have a script we can run, as a first pass anyway. I have concerns because I spotted in your ealier reports, at least the remains of 2 suspicious old scheduled tasks. Plus your mention at the top that MS Defender has some issues. Rather than the term virus, I would say "potential trojans", if not now, then in recent past.

Question: Is the NortonSecurity paid for ? How long has it been installed on this machine ? was it installed after the first problem occurred?

Link to post
Share on other sites
PyM

PyM

Posted
  • Author
Posted

I think Norton is built-in because I have reset my pc before and Norton was already installed with 60 day subscription (I didn't pay). I got new 60 day subscription when pc is reset this time. About the screenshot I sent before, I found that Acter was Malwarebytes and Target was some Norton files. Maybe trojan is hidden in Norton files and Norton is protecting the trojan from being detected. Thank you

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

I'm reserving any comments about NortonSecurity till later. Except to say, if NortonSecurity came prebuilt by the computer factory and you have had this machine for longer than 60 days, that the "license" would be expired now. That presumes it was a 60 day trial.
In any event and regardless, I would like us to proceed with this next custom run, intending to do cleanups and research as well.

Since you did run the support tool, there should be a tool named FRSTENGLISH on the Downloads folder . This script works as one of a pair.

This custom script is for  PYM  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekkeping.

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. This custom script will also cleanup seeral entries of scheduled tasks that just no longer exist. It will also try to remove what look like 2 old scheduled tasks remains that have earmarks of a infection.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt          <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Stick with me.

  • Like 1
Link to post
Share on other sites
PyM

PyM

Posted
  • Author
Posted

Do I just download Fixlist.txt and not touch it? I forgot to say that Norton is failing to update itself. It shows that update is completed but when I check updates again, it download and install update again. I've tried 3 times now. Is it suspicious?

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted (edited)

The custom Fix script is good. You did well. :D
As to NortonSecurity, it seems to me best for you to uninstall it, unless you actually paid & do have a license from them.
I tend to think you do not. I get the impression that this app maybe came preloaded from the computer factory when machine was built.
Please understand that the Microsoft Defender antivirus on this Windows is now in good shape.
Now to uninstall NortonSecurity.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-window.
2. Type 

appwiz.cpl


and tap Enter.
The Programs and Features window will appear.   Locate on the list "NortonSecurity".

Do a right-click on Norton Security.  Then choose Uninstall.   Let it proceed.

Exit Programs and Features, when done.
Now do a Windows Restart.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

That is a good security status display. You can also launch Malwarebytes and take a look there as to the summary on the first screen. 

I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative upates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

  • Like 1
Link to post
Share on other sites
PyM

PyM

Posted
  • Author
Posted

I scanned with malwarebytes and nothing is detected. all security settings are complete. Windows and others updated. Let me ask questions. Is core isolation in windows security important? Should it be enabled all the time? Thank you

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. Regret to read that the Edge browser might have a issue as to the Home page. This link https://bit.ly/3sWJxRs is to a Microsoft support article that shows how to set the EDGE browser Home page.
Do you use as a guide. That should be rather straight forward.

ALSO

I would urge you to look at and use this Microsoft guide article
https://bit.ly/3yW1jrZ

  • for the section titled "Clear browsing data stored on your computer"
  • What needs to be selected to be Cleared are
  • Browsing history
  • Download history
  • Cached images and files
  • WHEN you get to the part about "Time Range" we must pick the one "For ALL Time"
  • That is from the drop-down menu
  • Be sure to do that.
  • Then, there is another section to do. Do the one for "Clear browsing data stored in the cloud"

If there should still be an issue, then two things.
( A ) Run a new scan with Malwarebytes.  and let me know the result, and
( B ) Get a new Farbar FRST report:
 

get a set of fresh reports to see what is running, what is active. Your machine has the FRSTENGLISH report tool on the Downloads folder. We will use that. Go to Downloads folder. RIGHT-click on FRSTENGLISH and select  

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

  •  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
  • Press the Scan button.

_frst_scan.jpg

  • It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
  • Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
  • Close Notepad IF those show up on Notepad.
  • Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.
  • Like 1
Link to post
Share on other sites
PyM

PyM

Posted
  • Author
Posted

I checked all settings in edge after sync and reset sync. Malwarebytes scan result is "No item detected". A few minutes ago, I installed discord and epic games (I thought this topic has been solved). But nothing bad happened yet. I'll stop doing anything now.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.