Jump to content

Possible Malware, but Nothing Detected (so far)

PlanoDad
 Share
Go to solution Solved by AdvancedSetup,

Recommended Posts

PlanoDad

PlanoDad

Posted
Posted

Hello,

Yesterday, my PC starting slowing down, significantly. I'd get these weird pauses, like it was trying to keep up with what I was doing. At this point, it feels like I'm trudging through quicksand.  I am a Malwarebytes Premium customer and it is up and running constantly, but I went to do a manual scan and while it was going through the 'Check for Updates' and I got a pop-up that said, 'Something went wrong - One or more items in the update did not complete successfully. Please check your internet connection and try again. If you need more help, visit our support site.'  After that, it initiated and continued through the scan, but towards the very end of the scan (around 247k files scanned) I get a blue screen that I've never seen before until yesterday that states, :( - Your device ran into a problem and needs to restart. We're just collecting some error info, and then we'll restart for you. There's also a QR Code on the blue screen as well that directs me to more info on the issue and possible fixes. After a few seconds, it automatically reboots the PC.

At this point, I wasn't too freaked out, but I started cleaning up my desktop some, getting rid of old word docs, pics, Zoom audio files, etc.  I also deleted Microsoft Teams, Slack, and Discord (I barely use them) and reran the Malwarebytes Premium... The same thing happened; it didn't get the update completed and the blue screen came back. When it rebooted, all of the files that I deleted were back on my desktop. I deleted some of the files again and rebooted, and the same thing.. The files were back.

I've tried to download other virus scanners, but every time I download something like that, it asks to reboot to finish installation. When I reboot, the software is gone and I'm back to square one, like the PC is stuck in moment in time.

I did follow directions while reading through other posts and I was able to get AdwCleaner and Farbar Recovery Scan Tool downloaded. I've attached the logs. Anything that I required a reboot when I download it, doesn't show up when the pc comes back up. I also tried to run MSERT, but I got the message, 'Your organization used the Windows Defender Application to block this app.'  This is my personal PC, by the way.

Any assistance is greatly appreciated!

 

AdwCleaner[C00].txt AdwCleaner[S00].txt Addition.txt FRST.txt

Link to post
Share on other sites
  • Replies 99
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

AdvancedSetup
AdvancedSetup

Get to that same Window From inside Windows Setup, press Shift+F10 to open a command prompt window. Then type in the following   DISKPART LIST DISK SELECT DISK 0 CLE

Maurice Naggar
Maurice Naggar

Much thanks & Kudos to @AdvancedSetup for catching the failed disc hardware. 👍

Maurice Naggar
Maurice Naggar

Hello @PlanoDad My name is Maurice. I will guide you.  This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then   Gather

Posted Images

Maurice Naggar

Maurice Naggar

Posted
Posted

Hello @PlanoDad My name is Maurice. I will guide you. 

This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

I will guide you along on looking for  malware. Let's keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

One of the things I notice is that MS Defender has been "disabled" and that it is having issues / seems like a potential updates failure. 

Date: 2022-07-08 10:39:28
Description: 
Microsoft Defender Antivirus has encountered an error trying to update security intelligence.
New security intelligence Version: 1.369.978.0
Previous security intelligence Version: 1.369.254.0
Update Source: User
Security intelligence Type: AntiSpyware
Update Type: Delta
Current Engine Version: 1.1.19300.2
Previous Engine Version: 1.1.19300.2
Error code: 0x80509004
Error description: An unexpected problem occurred.

After you attach the MBST report ZIP file, then I urge you to do what follows ( as a next step).

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan  .

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Leave the MSERT alone. It is being blocked by the infection(s). here is what we want to do next. Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

This custom script is for  Planodad only / for this machine only.

Be very sure to Save any work-files you have open at this point. Close & Save any open edits, if any. . 

There are some eight (8) very suspicious scheduled tasks that simply are not a standard set from Microsoft Windows! Those will be removed.

This run will do a few passes with the Windows System File Checker to check integrity of Windows system files. This same run will remove a few auto-started apps that are just not needed to be auto-started. They are Steam Discord, Adobe Reader Synchronizer, and 1 Chrome auto-launch. Keep in mind that games you can start ( much later) on your own after the system has the all clear. Discord you can self-start later. The first main goal is to get rid of the 8 suspects AND to remove the blockage of Microsoft Defender & MS Security.

We will use FRSTENGLISH  on the Downloads  folder to run a custom script.    The system will be rebooted after the script has run.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt       <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.


RIGHT click on FRSTENGLISH   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. 

  1. Please attach the FIXLOG.txt with your next reply later, at your next opportunity.
  2. Also, after you attach the log-report, then you should go back to my earlier tips on doing a FULL scan with the MSERT tool.
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

In normal mode of Windows, see if you can simply double-click FRSTENGLISH to get it started. If it starts, then click on FIX button.

BUT if it continues to still not "work".....see if you can restart Windows into "SAfe Mode with Networking".

If can do that, then do the same steps I had outlined before to begin the Fix run

Edited by Maurice Naggar
Link to post
Share on other sites
PlanoDad

PlanoDad

Posted
  • Author
Posted

Maurice - I tried to reboot in Safe Mode and it for some reason went into regular mode and I lost the FRSTENGLISH file from the download folder, since it reverts back to a time yesterday. I can't find it anywhere. I have all of my folders shown. Any suggestions?

Thanks,

Trey

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Did something /anything happen that caused the system to revert to a old state ??

Look on the Desktop to see if it has FRST64 currently saved there. IF yes, then we want to use FRST64  and also have my Fixlist saved to the same folder  ( The Fixlist works as a pair along with FRST64 executable AND they have to be on the same folder).

IF it becomes needed, you can simply download & save a new copy of the tool FRST64.exe from this link 

Be sure the file is saved.

AS a safety measure, you can take a interim measure and do a RIGHT-Click on FRST64,exe  and then Rename it to  

Gazork.exe

That way the name is so unique the "pest-malware" will not "recognize" it.  Then run the tool named Gazork in the Fix run procedure I listed before.

Link to post
Share on other sites
PlanoDad

PlanoDad

Posted
  • Author
Posted

I just noticed that it was reverting back last night after trying to clean up my desktop. It has done it ever since.

I can't get into FRST64.exe. I have both files in the download folder and it just keeps timing out after it asks me if I want to the file to make changes to the PC. I did try Gazork as well with the same result. I even ended up downloading a new copy of FRST64 and it wouldn't run.

 

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Do not freak out. but ....That all is disturbing. 😜

There is an article at Bleepingcomputer named How to Start Windows 10 in Safe Mode with Networking https://www.bleepingcomputer.com/tutorials/how-to-start-windows-10-in-safe-mode-with-networking/

That describes the steps to get Windows 10 into "Safe Mode with Networking".
Please study that. The goal is to get to that screen "Startup Settings" and
press the number 5 key on your keyboard to enter Safe Mode with Networking.

Look over that whole article. The descriptions and the images all help.
We want the system to be in "Safe Mode with Networking" to run my custom script.

((when you get a free moment, Let me know if where you are, there is another machine that is known to be Clean and if you have a re-usable clean USB-thumb drive that is at least 8GB )).

By the way, remember that FRST tool does not start to show a display screen right away, plus there can be a delay of like a minute because it checks for new updated-version. In other words, allow a couple of minutes for the GUI-window for FRST to be able to be ready-for-use.

  • Thanks 1
Link to post
Share on other sites
PlanoDad

PlanoDad

Posted
  • Author
Posted

Maurice - I finally got the FRST64 up and running (in normal mode). The first time I ran it, I got the blue screen and it auto-rebooted. It’s been on the 2nd run for almost an hour and still going. Fingers crossed!

We do have another PC in the house and I do have access to a few thumb drives.

Also, my Safe Mode still isn’t working right. When I get to the StartUp Settings screen, it click restart and it goes straight into a reboot instead of showing me the numbered list where I’m supposed to select 5.

Thanks,

Trey

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Does this mean that the FRST64 is running the FIX job ??  If so, let it run & just be looking for the "normal" completion (hopefully).  This whole situation is highly unusual.  When the run finished, I am looking for "Fixlog.txt".  There is much much more to do here.

Link to post
Share on other sites
PlanoDad

PlanoDad

Posted
  • Author
Posted

So I see the Fixlog pop into the download folder at 0kb while I’m running FRST64, but the system randomly reboots while the fix is running. When that happens, windows reverts back to yesterday and the fixlog isn’t there anymore. I had to download FRST64 again because it vanished on revert reboot.

A0EF8206-47CC-422F-8BBF-027DEAAD75BF.jpeg

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept