MBAM found malware, what now?

[Scanzie]

I run constant scans with MBAM. However, the lastest one found some stuff. The moment before I decided to run a scan, Win10 was running weird, with Firefox not being able to open up and immediately crashing after starting, Chrome able to start but not able to load tabs and MBAM not having enough memory to start. These things disappeared after a reboot and then I could run the scan. The logs are attached and together with the FRST and Addition.

Addition.txt FRST.txt mbam log.txt

[Scanzie]

I forgot to add, I ran MBAM's Anti-Adware afterwards, which came out clean.

[Porthos]

Quote

Malware.Heuristic.1003

Please turn off the following setting Restore the files and scan again. This setting is off by default and should not really be enabled.

 

Edited July 2, 2022 by Porthos

[shadowwar]

these files have been whitelisted. 

[Scanzie]

After 20 hours, MBAM scan came out clean. No idea why it is taking longer than usual. I also ran ESET online scanner for the hell of it and it only flagged one remaining file of a previous Avast installation in a secondary drive. I'm still curious about those [Atention] details in the FRST log.

[Scanzie]

I don't ever recall tampering with things to make these things appear:

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction <==== ATTENTION

GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION

 

Or whatever this means:

Windows is unable to verify the image integrity of the file \Device\HarddiskVolume5\Windows\Temp\aswa2b4b00da4490296.tmp because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

[Scanzie]

Also, I ran MS Safety Scanner. It said it found 35 infected files, but it just says it removed VirTool:Win32/DefenderTamperingRestore, which if I'm not mistaken, usually comes out as a false positive. Here is the log anyways.

msert.log

[AdvancedSetup]

Good day, @Scanzie

Policies get set on purpose by Microsoft and sometimes by the settings of a program. The listing by Microsoft Safety Scanner is normal to find and remove that setting. The file detections during scan are not real detections. They are traces of "potential" threat. Microsoft gathers all of them locally, then uploads them to their Cloud Artificial Intelligence to determine if, in fact, they're actual threats or just traces. The final written log is the valid result.

Please restart your computer again, then run the Farbar scanner and post back both new logs and I will review for any other potential issues.

• FRST.txt
• Addition.txt

 

Thanks

 

[Scanzie]

Here.

 

I wonder why the Event Log and below shows up quite a bunch of errors. I have to run /sfc scannow and /dism quite frequently because there is always some corruption getting (successfuly) fixed, Chkdsk never finds anything, I do have drivers updated and yet sometimes this PC goes a bit weird and for example, an important excel file I need got damaged and Windows cannot extract from some compressed folders. I thought it might be some sort of malware, but nothing is coming out either.

FRST.txt Addition.txt

[AdvancedSetup]

The computer doesn't show signs of obvious infection and issues in the Event Logs is not always corrected by SFC or DISM. In many cases you need a specific fix.

It could be that you've damaged the computer at some point too due to infection or modifications to the registry that were invalid, etc. If you have ongoing issues then you might want to consider doing a CLEAN INSTALL of Windows.

Basically backup all your personal data to an external USB drive. Then build a USB thumb drive of the Windows 10 or 11 installers. Boot from it and remove the current partition and install Windows.

 

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

 

Or if you want Windows 11

How to make clean install of Windows 11
https://answers.microsoft.com/en-us/windows/forum/all/how-to-make-clean-install-of-windows-11/789f6891-7261-4c40-a632-6a44e53a3e30

 

You currently have a service install in a Temp folder which does not belong.

S3 GPU-Z-v2; \??\C:\Users\USER\AppData\Local\Temp\GPU-Z-v2.sys [X] <==== ATTENTION

If you like we can try to do a bit of clean up of the current computer, but in the long run, taking the time to do a clean install of Windows would be a much better choice.

Let me know how you'd like to proceed.

 

[Scanzie]

Thing is, this is already a new fresh installation and I never had infections before nor do I tamper the registry.

Quote

You currently have a service install in a Temp folder which does not belong.

Interestingly enough, it isn't appearing in the Temp folder.

Quote

If you like we can try to do a bit of clean up of the current computer,

I'd rather prefer this, TBH as I don't have a thumb drive large enough to back up things and cannot buy one either.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you