Jump to content

Need help with creating fixlist.txt


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hey there, recently I had an exe sent to me by a friend, I didnt trust it much so I used HxD to check it first, as it was 800 mb, and too big of a file size for what its actual purpose was. sure enough there were just a bunch of NOP's, but I double clicked it by mistake. 

Fast forward a restart later, there was a cmd file hidden in the task manager, but which I saw through Process Hacker 2, was using up a lot of my SSD and CPU, it was saved in %temp%, so I just deleted all files in the temp folder as I havent done so in a while. 

Running Malwarebytes, ADWCleaner, and KVRT cleaner got no new reports now, so I ran FRST and was hoping someone could help me create a fixlist.txt file, as I do not have the experience or knowledge to do so, and I might damage a few system files if I try. 

Thanks in advance :D

EDIT:

My bad, when I first clicked on the exe by mistake, I ran a bunch of scans and the only one that came back with positives was ADW scanner.  Attached it below. 
Also the day I ran the file by mistake I noticed that it closed all background running tabs on by the taskbar corner, but it didnt ask for system administrator perms. 

AdwCleaner[S05].txt

FRST.txt Addition.txt

Edited by IhsanRocks
Link to post
Share on other sites

Hello. I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • This system is running Discord, please be sure to Exit out of it while this case is on-going.
  • If in any way, you got the file thru Discord, I need to be sure you let me know. In any event, keep out of Discord while the case is on-going, for the duration. Discord is known to be a able to be compromised such that it can be mis-used to make it easier for infection. Exit / close Discord and keep it closed.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

QUESTION: Did you have Adwcleaner "clean" / quarantine the 4 P U P that it tagged?

 

Edited by Maurice Naggar
Link to post
Share on other sites

4 minutes ago, Maurice Naggar said:

Hello. I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • This system is running Discord, please be sure to Exit out of it while this case is on-going.
  • If in any way, you got the file thru Discord, I need to be sure you let me know. In any event, keep out of Discord while the case is on-going, for the duration. Discord is known to be a able to be compromised such that it can be mis-used to make it easier for infection. Exit / close Discord and keep it closed.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

 

Hey there, I have 2 drives, C:/ and D:/. Following your instructions I will only scan The main SSD C:/. Should I scan the secondary HDD as well?

Link to post
Share on other sites

16 hours ago, Maurice Naggar said:

It will take several hours to scan all drives. That is OK. It is expected.

The scan just finished, it came back with, 
 

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sun May 29 14:53:39 2022


Return code: 0 (0x0), 
 

Link to post
Share on other sites

That is good. Thanks. 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

  • How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

  • How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

  • How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
Link to post
Share on other sites

This last run of Kaspersky KVRT was completed in like 4 minutes. I have to wonder just what you selected for scanning ?

Added note This system has McAfee AntiVirus apparently as the antivirus app. When was the last time you scanned with it ?

Edited by Maurice Naggar
added note
Link to post
Share on other sites

8 minutes ago, Maurice Naggar said:

This last run of Kaspersky KVRT was completed in like 4 minutes. I have to wonder just what you selected for scanning ?

Added note This system has McAfee AntiVirus apparently as the antivirus app. When was the last time you scanned with it ?

I scan with mcafee often, and I use its realtime scanning and firewall option, but I just find Malwarebytes scan to be more trustworthy since it scans for rootkits as well. I ran my last scan with Mcaffee around 2-3 days ago.  
As for the KVRT scan, the moment I acknowledged the different agreements it started a scan, and I missed a step to select all drives. I shall rerun the scan my bad. 

Link to post
Share on other sites

By the way, you do not need to press "Quote" when you start a reply. Doing that just adds more lines and makes the whole topic deeper. More work to scroll thru. Just start typing your reply in the bottom box meant for replies.

I get notified of all your replies. 😃

Link to post
Share on other sites

Oh alright my bad, I wont quote the messages. Sorry about that. 

The kaspersky scan finished, and it found nothing, other than a few miners because I ran a mining tool called salad a while back, as well as a few "Ok" files which were from Process Hacker. Other than these 2 main directories nothing else was found. 
image.png.f85e7fc9385915ba80b351971878538b.png
image.png.7525d720491f7d91a759263027cf667b.png

Link to post
Share on other sites

Hello. You mentioned 

Quote

I ran a mining tool called salad a while back

Is "Salad" uninstalled ?

  • I would like a report set for review.   This is a report only.
  • Please download MALWAREBYRES MBST Support Tool
  • Once you start it click Advanced >>> then   Gather Logs
  •  Have patience till the run has finished.
  • Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.
  • Please attach  mbst-grab-results.zip    to your reply
Link to post
Share on other sites

Nope, salad is not uninstalled, but I do not use it at all anymore so I just uninstalled it while I was getting the logs. Here is the zip you asked for. 
Oh BTW I do not think that the malicious item is completely gone yet, since I just had my Gmail account accessed and the password of my Epic games account with 2FA enabled changed, even though it did not send the verification code to enter my gmail account to my phone. 
mbst-grab-results.zip

Edited by IhsanRocks
Link to post
Share on other sites

Thanks for the latest report. I will review and get back with you. As to your Gmail & Epic games & any other account that may have been lifted:

Use STRONG passwords.

Tips  on that:

Lastpass site can generate a strong one for you on-demand     https://www.lastpass.com/password-generator

also see at Microsoft    https://support.microsoft.com/en-us/help/4026406/microsoft-account-how-to-create-a-strong-password

and   https://www.microsoft.com/en-us/p/strong-password-generator/9nblggh0gr9l

[ 2 ]
This machine has Discord installed. I need for you to uninstall Discord. Discord has been known in the past to have been mis-used & lead to compromise.
At least for the duration of the case, Uninstall Discord from this machine.  { After we finish this case, you can later on re-install as you wish. Just be sure you get it from the legitimate source.}

[ 3 ]
Please do not play any online games on this machine. Do not go onto social media sites on this machine. Only use this machine to get tools I guide you to & to use this help forum here.

Link to post
Share on other sites

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

>

This custom script is for  IhsanRocks  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekeeping.

We will use FRST64  on the C:\Users\ihsan\Desktop\Applications\Antivirus  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .It will also run the Windows tool DISM to check Windows integrity.  It will rebuild the Winsock. 

NOTE-2: This should run a quick scan with MS Defender antivirus and remove outstanding action items, if any. This script will remove any remaining references of "Salad" or "Saladbind".

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   C:\Users\ihsan\Desktop\Applications\Antivirus   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the C:\Users\ihsan\Desktop\Applications\Antivirus   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. 

Link to post
Share on other sites

  • Solution

Thanks. That run went very well. The system ought to be lots better. This is just one new, very quick run. to remove 4 extremely odd-named-suspicious sub-folders

This custom script is for  IhsanRocks  only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. Next, a custom script to do  checks & some  cleanups. This is really just housekeeping.

We will use FRST64  on the C:\Users\ihsan\Desktop\Applications\Antivirus  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   C:\Users\ihsan\Desktop\Applications\Antivirus   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the C:\Users\ihsan\Desktop\Applications\Antivirus   folder.


RIGHT click on FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start.  
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. 

Link to post
Share on other sites

Thank you. That run accomplished its goal of removing 4 files. Now, I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.