Jump to content

ShadowHammer on Acer laptop

Go to solution Solved by envirossf,

Recommended Posts

Hi Everyone, 

1st post here, so...    My laptop started acting strange (I'm signed in as local administrator and tried to change to Microsoft administrator in order to set a restore point or backup my work.  Everytime I attempted, a notification stating incorrect password popped up.  I created a new password, but every time I used it and then tried to do something else, the notification popped up again, and told me I had an incorrect password).

I started running virus scans.  I ran an offline Defender scan and it came back warning stating possible hosts file hijack, restart to reset and clear.  I rescanned and checked for issues.  A registry key was listed as hijacked, with 3 registry keys hijacked (attached below)3detect.txt.  I reran scan and issue kept coming back without fixing or removing it.  I started running other virus scans (downloaded from another clean laptop to a flash drive, and used for scan on infected PC)  I ran Malwarebytes and came up with the results listed on the 2nd file listed below.  virus4.txt  I then ran AdwCleaner to try to remove the threats.  The scans came back with no detections.  I then tried the Emisoft Emergency Kit, and the scan came back with no detections.  I then tried the Sophos Scan and Clean.  The scan came back with no detections.  The last one I tried was the ClamWin Portable.  After taking almost all day for it to complete, it came back with 1 detection showing C:\Users\Steven(my actual name)\Documents\Apps&Programs Setups\UnpackedDrivers\ALU3.6.8zip:Win.Rootkit.ShadowHammer-6935338-0.

I googled it and I saw it was a hijacker that was found to infect ASUS laptops and  mess with the user controls.  There was a checker from ASUS that I downloaded, and it came back stating that the checker only worked on ASUS laptops (mine is an ACER).  I looked further and saw that other systems had also been affected, but ACER was not listed.  

I've reached the end of my limited knowledge, and am looking for any suggestions, links, fixes, etc. to get rid of this damn thing.  Any help would be greatly appreciated, as I really don't want to go nuclear, and erase and reset everything. (unless that's the only alternative)  Thanks in advance!

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:      @envirossf


My screen name is AdvancedSetup and I will assist you with your system issues.

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.


To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you


Link to post
Share on other sites

Thanks for responding AdvanceSetup,

I followed all the steps above and am attaching files requested.  Awaiting further instuctions.   BTW., I am communicating on a laptop different from the one being discussed, and all requested files will be copied and transfered to this machine with a usb flash drive.  Sorry, no replicator or transport access available!



Link to post
Share on other sites

  • Root Admin

One of the logs I was looking for looks to have not downloaded (since I believe you have it offline maybe)

Please download the following program and run it on this system and get me the logs



Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you



Link to post
Share on other sites

  • Root Admin


Please run the following fix. Once the fix has completed, please attach the FIXLOG.TXT to your next reply



Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.




Link to post
Share on other sites

Ok, just so I have this correct before I run it :

I have a FRST folder on my desktop containing the following files:





     -and I added the fixlist.txt here

There are no temp files or residual files on the laptop.

Defender is turned off and I have no special firewall rules

I use BitWarden for my password manager.

All other programs are closed.

I am now ready to open and run the FRST64.exe from this folder location, follow all reboots, and hopefully the issues I've experienced will be resolved.

Does this look correct?  Thanks




Link to post
Share on other sites

  • Root Admin

No problem, I hear you. Some days can be very long.

That run was pretty good. It found and fixed a few issues.

Windows Resource Protection found corrupt files and successfully repaired them.


Let me have you run the following. You can turn of SLEEP and let it run through the night if needed and you need to get some sleep. It's past midnight for me so I'm heading out soon too.



Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well


Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article



I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 



Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.



It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.



Link to post
Share on other sites

Hi AdvanceSetup,

I ran the MSERT, and after pressing the finish button, it said there were no virus or malware on the computer.  However, during the scan it showed that there were 37 infected files.  I know from reading the info that detections during the scan are most likely caused by fragment of past infections, but does the MSERT remove these fragments or otherwise remediate them?   If not, isn't it possible that hey could still cause issues, even if the MSERT's code tells it the computer is clean?  Also does this tool work as a malware remover along with a detector.  MS doesn't specifically answer the question, or if it does, the method.  Thanks again for your much needed help and patience!

BTW., the log file is attached.


Link to post
Share on other sites

  • Root Admin

No, fragments typically have no danger as long as the payload has been removed. @envirossf

We'll run a couple other antivirus scanners though to make sure all is good.



Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.


Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3



Link to post
Share on other sites

Hi AdvanceSetup,

After our last conversation (on Saturday night), I shut down the laptop, and thought I'd start it up today after a day off watching football.  I have another old Win10 laptop (the one I've been communicating with you on) I used when needed.  Today, when I tried stating the problem one, I got to the log on screen ready to enter my pin and I was unable because it said it didn't recognize me, status 0cx000006d, sub status 0cx00000e5.  I checked and found that this results from a bad windows update situation or something related (my translation).  I have tried getting into startup or safe mode, and I am unable.  I've tried pushing power button on and off, it won't show the screen in order to initiate Safe mode,or get to the troubleshooting or advanced options page.  I tried the task manager, and the blue screen with the limited options popped up.  I chose shutdown, and it took a while but it shut down.  I am trying to figure out how to proceed, as I'm stuck.  I think I may need to just try to reset the problem unit, using this one to transfer all information.  I do have a Cable Matters Easy Computer transfer cable.




Link to post
Share on other sites

Please disregard my last post AdvancedSetup.  I was able to resolve the situation and get the computer running.  Still extremely glitchy though!  Some programs run fine, but windows update page in settings does not show anything, even though offline Defender scan ran fine and came up with no problems.

Anyway, I am now going to try and run the ESET scanner you suggested.  I will post the results when completed.  Thanks

Link to post
Share on other sites

Hi AdvancedSetup,

I ran the ESET scanner and it came up with 8 detected objects, and all were deleted.  I exited the scanner and restarted the computer just to check to see if any issues were reoccurring, but the scan came up with 0 detected objects.  The scan logs are attached.  I will await further instructions, thanks.


Link to post
Share on other sites

  • Root Admin

Hello @envirossf

That log only shows version 8, not detections, unless you saw that in the program.

Not sure why Windows is being problematic at this point.


It's up to you. We can try to continue working on it or you can back up your personal data and do a Clean install of Windows, or an in place upgrade. The clean method would be best but takes longer to get things back how you like them.


If you want the latest Windows 11


Perform clean install of Windows 11 in six different ways


How to Perform a Clean Install Windows 11


Let me know how you'd like to proceed.


Link to post
Share on other sites

I did see it in the program, but the 2nd time it came out with 0 detections, so I believe it fixed whatever issues it found.

As for the reset, I want to stay with Windows 10.  My bad laptop is an Acer that doesn't have a touch screen, but it does have a good SSD.  The one I'm communicating with you on is an ASUS that has an old SATA drive with a battery issue, that only works when the power cord is plugged in.  The Windows 10 install on it runs great though, with no issues.  So I made and ISO that I put on a flash drive that I can use to load the ACER if I decide to wipe it. 

As it is now I have 3 major issues with the current install on the ACER:  1)  The WIndows Update page doesn't show any dialogue other than the Window Update heading.  Underneath that where it normally states "You're up to date", the page is blank and looks like its still loading.  The troubleshooter can't find the issue, so I suspect the files are missing. 2) The task manager page won't load, it says the files are missing or deleted.  3) It won't let me change from a local administrator to a Microsoft account administrator.  It keeps stating that I have an incorrect password, even when I create a new one, have it accepted and try to log in.  I don't know if any of the malware I had deleted these file and the program can find them to replace them on restarts or what.  I've tried all the scannow variations and different windows fixes and nothing seems to work.  My only alternative may be to wipe the drive an use the ISO to start over.

Regardless, I want to thank you for all your time and effort helping me, and you've given me some valuable advice and some different scans I've kept in case I pick up something new after a new install.  (I am going to be a lot more careful watching out for threats, and fortify my system in addition to Defender.)  At least I know where to come now if I have problems.  Thanks again!

Link to post
Share on other sites

  • Root Admin

You can try the following which will keep all your data and programs.

How to Do a Repair Install of Windows 10 with an In-place Upgrade


Or if you want a CLEAN install of Windows 10 you can do the following. You must back up all your personal data as the Clean install will remove all data.


Greg Carmack - MVP 2010-2020 -Clean Install Windows 10

How to Create a Local Account While Setting Up Windows 10


Let me know how you'd like to proceed.


Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Thanks for the options, but instead of the ISO I was going to use, I decided to try a PC Reset using the cloud option.  I choose the full reset option, not saving my settings and programs, in case any of them were causing the issues I was having.  And by choosing the cloud option, I know I am getting the most current version straight from Microsoft.   As for my programs and files, I have the Easy Computer Sync System, which has a cable that connects 2 PC's, and has programming that allows for transferring files, programs, etc between them.  I have the same programs on both laptops.  Even the same settings for each program.  The only issue I will have (if the rest works properly and the ACER starts up and runs fine!) is restoring all my windows settings, which will still take some time, but a lot less than having to restore everything else.  Thanks again!

Link to post
Share on other sites

  • Root Admin

Okay, probably not the option I would have chosen, but let me know how it works out.

For me, syncing is like bringing full trash cans from your old home to your new home. Myself I'd rather take the time to setup the new home perhaps a bit better knowing some things from the old home just didn't look or work right.

All good though. Let me know how it goes.

I'm heading out soon for the night. Now past midnight for me.





Link to post
Share on other sites

  • Solution

Hi AdvancedSetup,

Well, it's 9:30 pm where I'm at and my ACER is finally set up correctly again.  The reset worked great, the new version of Win10 I downloaded well, with no errors or malware included!  I did take your advice though, and ended up downloading new copies of all my old programs.  Luckily, I was able to sync my Firefox and Chrome setups and replicated them on the new setup.  The worst part was going through all the settings for all the windows components, and changing them how I like them.  Getting rid of all the bloatware that came with the new install took quite a while also.

I did also run several of the scans you gave me including the ESET, MSERT, and Farbar, along with Malwarbytes and Defender.  All came back with no results for malware of any kind.  All the issues I was having are now resolved.  Thanks again for all the time and effort you put in helping me out.  It is very much appreciated!

BTW, I've moved so many times (because of my work, usually) that I kinda like my old garbage cans.  I just like them emptied!

Link to post
Share on other sites

  • Root Admin
5 hours ago, envirossf said:

BTW, I've moved so many times (because of my work, usually) that I kinda like my old garbage cans.  I just like them emptied!

ROFL - Right. 😁 @envirossf



Here is some information to help you better protect your data and privacy. I would highly recommend you get a good backup routine setup for an external USB drive.


  1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
  2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
  3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
  4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
  5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
  6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

uBlock Origin


Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes


Link to post
Share on other sites

Hi AdvancedSetup,

Glad I got a smile out of you!   1) I use BitWarden  password manager on all my devices,, love it.

                                                   2)  I've been using PatchMyPC for a while on both laptops.

                                                   3) I've started backing up on a new flash drive, also setting windows system restore points more often.

                                                   4) I'll check out the browser guards you recommend.  I've always found them a bit too restricting in the

                                                         past.  Maybe I just need to adjust the settings better for my uses.                   

                                                    5) I'll definitely be checking out the Malwarebytes blog to keep up better.


BTW, you've been fantastic to work with, many great suggestions,  exceeding my expectations for my first time on this forum!  I'll definitely be coming back to check out all the different topics.  Once more, thanks again!😎

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.