Malwares appear in Registry Keys : 'Old Malwarebytes' vs 'New Malwarebytes'

[Welcomeccl]

Hi,

I use both old and new Malwarebytes to check but with different results:

1. I used the 'Old Malwarebytes' scanning out the malwares and pressing 'remove' button; However, the malwares could not be cleanned even I repeated the precess;

2. I removed the 'Old Malwarebytes' and install the 'New Malwarebytes'.  The new one did not show such malwares;

3. I uninstalled the 'New Malwarebytes' and reinstalled the 'Old Malwarebytes'. Unfortunelately, the malwares appeared again.

So, please advise how to tackle the malwares issues.  Thanks.

 

[Porthos]

15 minutes ago, Welcomeccl said:

I uninstalled the 'New Malwarebytes' and reinstalled the 'Old Malwarebytes'. Unfortunelately, the malwares appeared again.

The old version could be reporting false positives that have been fixed in the new version. Depending on which "old" veersion you were using it might not get updates any longer.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

[AdvancedSetup]

Are you still with us @Welcomeccl

Please attach the requested log

Thank you

 

[Welcomeccl]

Hi,

Please see attached log.  Thanks.

mbst-grab-results.zip

[AdvancedSetup]

Your system is running ESET antivirus which is decent antivirus.

What keys are you seeing or believe to be an infection?

Please export the keys and show us or show a screenshot

 

I'm officially off work until Tuesday, but will try to assist you before then if possible.

 

[Welcomeccl]

Dear AdvanceSetup,

Please find attached further information fo your review.

The 2 infected Registry Keys are as follows:

HKLM\Software\Microsoft\Windows NT\CurrrentVersion\Image File Execution Options\MRT.exe

HKLM\Software\Microsoft\Windows NT\CurrrentVersion\Image File Execution Options\MsMpEng.exe

 

Thanks.

mbam-log-2022-08-30 (09-25-45).txt mbam-log-2022-09-01 (10-05-18).txt

[Welcomeccl]

Further scanning by old version on 3 Sep 2022 after testing the new version.

mbam-log-2022-09-03 (08-39-05).txt

[Porthos]

15 minutes ago, Welcomeccl said:

Further scanning by old version on 3 Sep 2022 after testing the new version.

Version 1.6 was discontinued and no further development/updates was done on it since way before Windows 10 or 11 were even conceived.

The database of your old version is from 2011.

Quote

Database version: v2011.12.24.05

You need to stop being paranoid and stop using that version period.

[AdvancedSetup]

Please follow the directions from @Porthos and uninstall all versions of Malwarebytes @Welcomeccl

Make sure you write down your license key first though so you know what it is.

Then install the latest version

MB4 Offline Installer
https://downloads.malwarebytes.com/file/mb4_offline

 

[Welcomeccl]

Dear Advancesetup,

My concern is to eradicate any potential malware in my computer.
Both you and @Porthos are experts. Will follow your advice. 

[AdvancedSetup]

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[Welcomeccl]

Hi AdvancedSetup,

I have try to complete the task advised.

(Both the SmartScreen and setting and more cannot be located in my computer.)

Nevertheless, please find attached the files for your reference.  Thanks.

 

AdwCleaner[C00].txt AdwCleaner[S00].txt Malwarebytes Report 20220906.txt Addition.txt FRST.txt

[AdvancedSetup]

You have the following security software installed.

ESET Security
Huorong Internet Security
Malwarebytes version 4.5.14.210

Please make sure there are no conflicts between any of these programs.

 

The logs do not appear to show any obvious signs of an infection, but you do have quite a few drivers that may potentially be suspicious.
You would need to boot into the Recovery Environment and then copy those files to a new folder.

Then upload them to https://virustotal.com and have them scan them to see if they're bad or not.

 

S3 0d; system32\DRIVERS\0d.sys [X]
S3 4OETA0QNsITk; system32\DRIVERS\4OETA0QNsITk.sys [X]
S3 5VirSLpaswph; system32\DRIVERS\5VirSLpaswph.sys [X]
S3 7E4F37RLAa; system32\DRIVERS\7E4F37RLAa.sys [X]
S3 7Ky_HgiJBn; system32\DRIVERS\7Ky_HgiJBn.sys [X]
S3 ayvbgj8q_; system32\DRIVERS\ayvbgj8q_.sys [X]
S3 Byu; system32\DRIVERS\Byu.sys [X]
S3 CWDlpj3aCJUBxnz; system32\DRIVERS\CWDlpj3aCJUBxnz.sys [X]
S3 CWxTbZ9F; system32\DRIVERS\CWxTbZ9F.sys [X]
S3 iutJ78dkLWTp; system32\DRIVERS\iutJ78dkLWTp.sys [X]
S3 jI396l6aCa; system32\DRIVERS\jI396l6aCa.sys [X]
S3 kuJKeTgUppyoRl0; system32\DRIVERS\kuJKeTgUppyoRl0.sys [X]
S3 QYe8VQ9Ik; system32\DRIVERS\QYe8VQ9Ik.sys [X]
S3 rI2ipccM; system32\DRIVERS\rI2ipccM.sys [X]
S3 WhkBpQGAiAfocV9; system32\DRIVERS\WhkBpQGAiAfocV9.sys [X]
S3 xgdFicGthYmH; system32\DRIVERS\xgdFicGthYmH.sys [X]
S3 XOIjfTrd99tnX8; system32\DRIVERS\XOIjfTrd99tnX8.sys [X]
S3 XSIayLU; system32\DRIVERS\XSIayLU.sys [X]

 

[Welcomeccl]

Hi,

Do you mean to those indicated drivers as indicated (their path are all in Windows\System 32\drivers\,,,,,,) to https://virustotal.com. 

Or to check those being quarantined as attached; However, I do not know how to locate the quarantined files. Please advise.

Thanks.

[AdvancedSetup]

No, ignore those items quarantined. They are PUP (Possibly Unwanted Programs) and do not belong on your computer

Yes, the default folder path for those other files is C:\Windows\System32\drivers

But sometimes those drivers are hidden and cannot be see from within a running copy of Windows.

We can run another antivirus scanner though and see if it finds any other issues for us.

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[Welcomeccl]

Hi AdvancedSetup,

Many Thanks for your advice.

I will try to understand it and do it in the weekend.

I shall consult you again if there is still some virus / malware troubles.

Many Thanks.

[Welcomeccl]

Hi AdvancedSetup,

Following your direction, I completed the scanning and found no virus.

However, the details showed there are many files running therein (see attached).

 

 

 

Please advise. Thanks.

report_2022.09.09_11.15.42 klr.txt

Edited September 9, 2022 by AdvancedSetup
Corrected inline attachment

[AdvancedSetup]

Yes, that's okay. Those are processes that are running normally

I don't believe the computer is infected, but since you're wanting to run scans to check or double-check I'm providing such scans for you.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

[Welcomeccl]

Hi AdvancedSetup,

1 no. detected.

Please see attached and advise. Thanks.

 

ESET Log.txt

[AdvancedSetup]

Overall things look much better. Let me have  you run the following @Welcomeccl

 

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If Microsoft SmartScreen blocks the download, click through to save the file
• This tool is safe.   Smartscreen is overly sensitive.
• If SmartScreen blocks the file from running click on More info and Run anyway
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Thank you

 

 

[Welcomeccl]

Hi,

done.  Please see attached and advise.

Thanks.

SecurityCheck.txt

[AdvancedSetup]

Please update, uninstall, or otherwise address the following as appropriate for your system.

 

------------------------------ [ ArchAndFM ] ------------------------------

WinRAR 6.02 (64-位) v.6.02.0 Warning! Download Update

-------------------------- [ IMAndCollaborate ] ---------------------------

Microsoft Teams v.1.5.00.11163 Warning! Download Update

Zoom v.5.9.1 (2581) Warning! Download Update

 

-------------------------------- [ Media ] --------------------------------

K-Lite Codec Pack 16.0.5 Basic v.16.0.5 Warning! Download Update

--------------------------- [ AdobeProduction ] ---------------------------

Adobe Acrobat 5.0 Warning! This software is no longer supported. Please uninstall it and use Adobe Acrobat DC.

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.6.03 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
----------------------------- [ End of Log ] ------------------------------

 

 

 

 

Then click on START and type in "Check for updates" and allow Windows to scan for and install any updates found.

 

Keep me posted on the status

 

Thanks

 

[Welcomeccl]

Hi,

All softwares done as advised.

Window scan for updating but nothing newly updated.

Thanks.

[AdvancedSetup]

All the scans look to be clean at this point. The computer is not showing signs of an infection.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[Welcomeccl]

Hi,

Done for KpRm.

thanks.

kprm-20220914140023.txt kprm-20220914120211.txt