Undetected Malware

[donkeykong326]

Hello, i have a feeling that i am infected with undetected malware that is not being picked up by malwarebytes and a few other malware removal programs i installed. Firstly, my cpu and ram usage constantly spikes even though i have nothing open as can be seen in the screenshots. My Ram is constantly 50-55% and my cpu usage even spikes to 20% when nothing is open. Furthermore, every now and again my mouse moves on its own for a brief second even though i didn't touch it and in the past i have had other suspicious activity that i even posted about here. If i am infected, i am pretty sure it's the type of malware not being picked up by malwarebytes and other malware removal software. I've been through the whole thing with staff on here before but it didn't really amount to anything as nothing was picked up and i was told my PC was clean when i'm fairly sure it isn't. It seems i will have to nuke my harddrive completely and start fresh to be 100% certain. 

Farbar update error, had this last time aswell and not sure what to do besides ignore it and run the scan regardless.

FRST.txt Addition.txt

[Maurice Naggar]

Hello. My name is Maurice. I will guide you. This here is a first step. 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

[Maurice Naggar]

I certainly look forward to reviewing the report from MS Safety Scanner.
This Windows OS is Windows 7 Ultimate  Service Pack 1 (X64)
Is there a reason why it has not been updated to Windows 10?
Windows 7 has been totally out of Microsoft support since January 14, 2020. That's nearly 2 and one-half years ago.
It is very likely that this machine can be upgraded to Windows 10 from Microsoft and at no cost. The Windows 10 is a lot more secure than the ancient WIN 7.
I have guided several folks to upgrade to Windows 10 with success.
This machine has an able Intel micro-processor & more than enough physical RAM to run Windows 10 Operating System.

By the way, as an aside & with an eye to system security: This machine has a way outdated Flash Player that has to be UnInstalled: Adobe Flash Player 31 NPAPI
Flash Player is insecure, out of dated, and no longer supported.

I am struck by the large number of user accounts for this Windows. Why ?  and how is this system used? Is this not a home-use type computer?

Is the Checkpoint ZoneAlarm Security a paid-for license? I ask because it seems there are too many security app monitors. This rig also has installed on it Spybot - Search & Destroy
+ SpyShelter Firewall 12.7
+ Comodo Security Solutions Comodo Dragon

[donkeykong326]

On 6/27/2022 at 5:22 PM, Maurice Naggar said:

I certainly look forward to reviewing the report from MS Safety Scanner.
This Windows OS is Windows 7 Ultimate  Service Pack 1 (X64)
Is there a reason why it has not been updated to Windows 10?
Windows 7 has been totally out of Microsoft support since January 14, 2020. That's nearly 2 and one-half years ago.
It is very likely that this machine can be upgraded to Windows 10 from Microsoft and at no cost. The Windows 10 is a lot more secure than the ancient WIN 7.
I have guided several folks to upgrade to Windows 10 with success.
This machine has an able Intel micro-processor & more than enough physical RAM to run Windows 10 Operating System.

By the way, as an aside & with an eye to system security: This machine has a way outdated Flash Player that has to be UnInstalled: Adobe Flash Player 31 NPAPI
Flash Player is insecure, out of dated, and no longer supported.

I am struck by the large number of user accounts for this Windows. Why ?  and how is this system used? Is this not a home-use type computer?

Is the Checkpoint ZoneAlarm Security a paid-for license? I ask because it seems there are too many security app monitors. This rig also has installed on it Spybot - Search & Destroy
+ SpyShelter Firewall 12.7
+ Comodo Security Solutions Comodo Dragon

I prefer windows 7 and don't want to upgrade. I know Microsoft stopped supporting it a while ago but i still want to keep using it. The machine can't be upgraded because it hasn't been activated and i don't see the point in doing so right now. I will remove the flash player now. The user accounts were created by me a while ago for something, nothing be concerned about, i only use one account "PC", it's my personal computer. I installed Zonealarm a while ago after removing comodo firewall and since then i've installed Malwarebytes and now it seems they've been running simultaneously, i just didn't bother uninstalling zonealarm as it wasn't interferring with anything. Also, it's the free version, i haven't paid for any anti-virus or malware protection software. I was thinking about removing zonealarm and having comodo firewall with malwarebytes as the anti-virus or for a weekly scan. Although i probably don't need it, i am looking into HIPS/HIDS to see how they would work. Regardless, i think the malware on my PC isn't going to be detected by any of these programs and so i've been trying to install glasswire to see outgoing connections and see if anything can be seen that way even though it's unlikely and probably hidden from that aswell. I'm running the MS safety scanner right now and will post the result once it's done but i don't expect anything to show just like it didn't last time because the malware is hidden from these programs and i was looking at another thread about a type of rootkit/bootkit that is not on the OS level and thus not being detected by software programs and this is also why i was thinking about nuking my harddrive and starting fresh with 1 or more steps the other guy has taken. Thank you for your help Maurice.

[donkeykong326]

On 6/27/2022 at 5:22 PM, Maurice Naggar said:

I certainly look forward to reviewing the report from MS Safety Scanner.
This Windows OS is Windows 7 Ultimate  Service Pack 1 (X64)
Is there a reason why it has not been updated to Windows 10?
Windows 7 has been totally out of Microsoft support since January 14, 2020. That's nearly 2 and one-half years ago.
It is very likely that this machine can be upgraded to Windows 10 from Microsoft and at no cost. The Windows 10 is a lot more secure than the ancient WIN 7.
I have guided several folks to upgrade to Windows 10 with success.
This machine has an able Intel micro-processor & more than enough physical RAM to run Windows 10 Operating System.

By the way, as an aside & with an eye to system security: This machine has a way outdated Flash Player that has to be UnInstalled: Adobe Flash Player 31 NPAPI
Flash Player is insecure, out of dated, and no longer supported.

I am struck by the large number of user accounts for this Windows. Why ?  and how is this system used? Is this not a home-use type computer?

Is the Checkpoint ZoneAlarm Security a paid-for license? I ask because it seems there are too many security app monitors. This rig also has installed on it Spybot - Search & Destroy
+ SpyShelter Firewall 12.7
+ Comodo Security Solutions Comodo Dragon

 

msert.log

[Maurice Naggar]

By the way, no need to click on "Quote" link when you next initiate a reply to this topic. Just start your reply directly in white box at the very bottom.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[donkeykong326]

ESET doesn't seem to be working. Everytime i open it it runs for a second and then this screen appears and nothing happens. 

[Maurice Naggar]

Please download MiniToolBox save it to your desktop and run it.

Checkmark the following check-boxes:

• Flush DNS
• Report IE Proxy Settings
• Reset IE Proxy Settings
• Report FF Proxy Settings
• Reset FF Proxy Settings
• List content of Hosts
• List IP configuration
• List Winsock Entries
• List last 10 Event Viewer log
• List Installed Programs
• List Devices
• List Users, Partitions and Memory size.
• List Minidump Files

Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

Note: When using Reset FF Proxy Settings option Firefox should be closed. 

[donkeykong326]

MTB.txt

[Maurice Naggar]

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

[donkeykong326]

Doesn't seem like it found anything besides a false positive for Notepad++.

mbar-log-2022-06-28 (23-57-45).txt system-log.txt

[Maurice Naggar]

Since the ESET scanner could not be started properly, go ahead and delete the downloaded file esetonlinescanner.exe. Then go about running this other scan tool. Let's check your system with another ( different ) antivirus scan tool.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

• How to run a scan with Kaspersky Virus Removal Tool 2020

          https://support.kaspersky.com/15674

• How to run Kaspersky Virus Removal Tool 2020 in the advanced mode

          https://support.kaspersky.com/15680

• How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan

          https://support.kaspersky.com/15681

 

Select the    Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed... Sincerely.

[donkeykong326]

report_2022.06.29_15.34.30-.txt

[Maurice Naggar]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

[donkeykong326]

AdwCleaner[S12].txt

[Maurice Naggar]

We will use FRST64.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Donkeykong326  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock. 

NOTE-2: It will remove many, many auto-startups of Eye Saver & Skype for Desktop ( there many multiple repeats)

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages,  and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

Edited June 30, 2022 by Maurice Naggar

[donkeykong326]

I don't see the point of this, i don't care for having browser history and other things that aren't malicious removed. Where is the malware? i knew it wouldn't be detected and i was right. It must be beyond the O.S which is why it's not being detected. I think i will have to nuke my harddrive and start fresh to be certain. I was hoping it would be detected but it did not.

[AdvancedSetup]

Though I would not suggest installing Windows 7 if you're going to start fresh, if you do decide to stay with Windows 7 then I highly suggest that you follow the directions in the topic below to get as up to date as possible.

How to update Windows 7 to the latest Security Updates
https://forums.malwarebytes.com/topic/274496-how-to-update-windows-7-to-the-latest-security-updates/

 

Then, once Windows has been installed and fully updated I'd recommend you create a master image of the system using Macrium Reflect (it's free) to an external USB drive. That way if anything bad does happen again in the future you can restore that image within minutes.

Then create another image that you use for weekly or monthly backup updates, but don't touch the master image.

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

How to Create a Full-Disk Backup of Your PC with Macrium Reflect
https://www.howtogeek.com/howto/7363/macrium-reflect-is-a-free-and-easy-to-use-backup-utility/

How to create a full backup of Windows 10 using Macrium Reflect
https://pureinfotech.com/create-backup-windows-10-macrium-reflect/

Cloning a disk using Macrium Reflect 8
https://www.youtube.com/watch?v=lSdSNAjmdDg

Configuring a backup with Macrium Reflect 8
https://www.youtube.com/watch?v=rwc01y9Ggzs

Macrium Drive Image and Restore
https://www.youtube.com/watch?v=iO9gCwQjBSo

 

 

 

[donkeykong326]

So no malware was found? don't understand how nothing can be found even after doing all this. I was right about it not being detectable by software. These applications aren't even able to find the browser adware that i have for so long so no surprise there. Is there anything else i can do?

[AdvancedSetup]

Undesirable changes to a web browser are not necessarily considered a threat and thus not always detected by antivirus.

Absolutely you can do something, but you choose not to, so we've provided other methods to help keep you running on old unsupported software.

 

How to make clean install of Windows 11
https://answers.microsoft.com/en-us/windows/forum/all/how-to-make-clean-install-of-windows-11/789f6891-7261-4c40-a632-6a44e53a3e30

 

 

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you