Jump to content

Super resilient Malware or something...PLEASE, help with fixlist!


Afamocc
Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello, so I took a usb shortcut virus on a pen drive...and now my pc is infected!

No antivirus is doing anything. My malwarebytes is NOT able to find anything. But as you can see from attached screenshot, something is trying to access a website...malwarebytes at least is blocking that.

Anyway it is not able to find the source of it!

Looking at FSRT scans, I believe the virus (or rootkit? malware?) has disabled the antivirus! And others attention points...please find them attached, are you kindly able to provide me a fixlist?

HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction <==== ATTENTION
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction <==== ATTENTION

GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

S3 D; \??\C:\Users\asus\AppData\Local\Temp\D.sys [X] <==== ATTENTION

Thanks a lot!!

Screenshot 2022-11-27 180837.png

Addition.txt FRST.txt

Link to post
Share on other sites

Hello :welcome: 

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

( 1 )

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use this Guide

( 2 )

These are just first steps.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.
Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.

When AdwCleaner starts, on the left side of the window, click on “Settings” and then enable these repair actions on that tab-window
by clicking their button to the far-right for ON status

Delete IFEO keys
Delete tracing keys
Delete Prefecth files
Reset Proxy
Reset IE Policies
Reset Chrome policies
Reset Winsock

Now On the left side of the AdwCleaner window, click on “Dashboard” and then click “Scan” to perform a computer scan.

This can take several minutes.
When the AdwCleaner scan is completed it will display all of the items it has found. Click on the “Quarantine” button To remove what it found.

AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean. 
Click on the “Continue” button to finish the removal process.

Guide article

Attach the clean log from Adwcleaner when all completed.

( 3 )

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Clear Maurice. But I think we have a bigger problem: software do NOT show anything.

See attached reports.

Or better, prior to your answer, I had tried MS safety scanner. It was detecting lots of problems, but then ad the end... ALL GOOD! No problems!
It's like the virus is hijacking these virus removal software...I also had tried the eset online scanner, will do another scan now but I don't expect to find something different.

Any chance I could use the FRST fix?

Thanks,

Screenshot 2022-11-27 190206.png

AdwCleaner[S02].txt

Link to post
Share on other sites

I urge you to run the ESET ONLINE scanner.  If you have not run it, do so now.

If you did run ESET, then I need the log from it.

.

By the way, about what you "saw" on intermediate displays of the Microsoft Safety Scanner,  I would like you to review the remarks by AndyDavid about all that on this Microsoft community venue https://docs.microsoft.com/en-us/answers/questions/326108/mar-1721-msert-detects-items-during-scan-but-at-en.html

Also, the post by EricYin of Microsoft  ( just below that section)
 

if nothing reported in %SYSTEMROOT%\debug\msert.log, that means no infections.

It's only the final report that matters.  For the gory details, see  https://answers.microsoft.com/en-us/protect/forum/protect_scanner-protect_scanning-windows_10/what-is-wrong-with-the-microsoft-safety-scanner/27c95df9-7d49-4d02-b734-bcb16495cfc3?messageId=e199de56-9a50-4cc5-a37a-3a7f2708b093

See also https://support.microsoft.com/en-us/topic/how-to-troubleshoot-an-error-when-you-run-the-microsoft-safety-scanner-6cd5faa1-f7b4-afd2-85c7-9bed02860f1c
 

Link to post
Share on other sites

For after you have caught up with all above.

This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on Edge & Chrome & Firefox. To rebuild the Winsock. To attempt to check the system with Microsoft Defender antivirus. It will also attempt to remove a rogue "runtimebroker" executable.

This is not a cure-all. Rather, it is meant as general check & cleanup.

This custom script is for  Afamocc machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

 <<< - - - - -

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the Downloads folder  {C:\Users\Alex\Downloads\FRST64.exe }    to run a custom script .    The system will be rebooted after the script has run. 

Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. 

Edited by Maurice Naggar
removed 1st fix script
Link to post
Share on other sites

Ergh, a bit sorry but I was in a hurry and I created a fixlist.txt myself, fixlog attached!

However, I ended up damaging Win registry and win couldn't start. So I restore to a previous restore point (start of month), now it's working again.

So I guess I lost the fixes by FRST, right? I think this because look what MBAM found (attached screenshot).

Please find attached newly generated FRST and Addition.

Attention points I found are now:

GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION

S3 D; \??\C:\Users\asus\AppData\Local\Temp\D.sys [X] <==== ATTENTION  NOTE: I CANT FIND THIS FILE! And I am able to see hidden ones...do you need to send me an update fixlog?

Anyway, I have run through your previous steps, please also find the ESET report. I know those files and were not the  cause of the problem.
Sorry Maurice for the messy actions, but I was panicking and wanted to act :/ I wait for instructions, and eventually the updated fixlog for FRST.

PS: About MSERT, you're right, the file below doesn't show any threat found...very strange cause it was finding many while running ?

%SYSTEMROOT%\debug\msert.log

Thanks so much for the support!!

PPS: anyway, after the system restore, MBAM doesn't see anymore the popup of "website blocked due to riskware". I suppose it was eliminated with the previous fixlist that I made, although I damaged some system files...in fact, the new FRST doesn't show all the ATTENTION points as the previous one.

Screenshot 2022-11-27 213501.png

Fixlog.txt Addition.txt FRST.txt eset.txt

Link to post
Share on other sites

So shocked to read that you went off on your own & look like did a self-fix-attempt.

I must remark to not ever do that again all on your own. All expert helpers here, as well as on other recognized forums, have to graduate from a malware removal school -beforehand - all to learn about intricacies of malware, of Windows O.S. and also of the Farbar FRST tool.

Link to post
Share on other sites

Quote

So shocked to read that you went off on your own & look like did a self-fix-attempt.

I know right, as I told you I was panicking...sorry again!

So, since the reports of scans looks done and OK now, can I run your previous fixlist, or do I need a new one now that I restored system?

Appreciate your help a lot!!

Link to post
Share on other sites

Open an elevated Command-prompt window i.e. run Powershell Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe

click the line for "run as administrator"


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that Powershell prompt,  Copy & Paste this command

sfc /scannow

press Enter-key on keyboard   and watch & do a screen-grab of the result.

 

We will need to go real slow. I have not yet had time to review your last set of reports.  There will be no rushing about.

Link to post
Share on other sites

This is just housekeeping on a different matter. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Link to post
Share on other sites

Done Maurice! I have re-done the FRST scan, any change you could kindly provide the fixlist for that?
I think once that is done, I should be good.

PS: I have a usb pen where I think the problem originated from...I'm scared to connect it to the pc, cause I will be re infected! Any chance to recover it?

Thanks as always!

FRST.txt Addition.txt

Link to post
Share on other sites

  • Solution

This next custom-fix is mainly intended to run Windows' SFC & DISM to check the system for integrity. To clear temporary cache on Edge & Chrome & Firefox. To rebuild the Winsock. To attempt to check the system with Microsoft Defender antivirus.

It is also going to attempt to Enable MS Defender antivirus & to run scans with it. It will also attempt to remove a rogue "runtimebroker" executable.  which was still reported to be on this machine !!!

This is not a cure-all. Rather, it is meant as general check & cleanup.

This custom script is for  Afamocc machine  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt <<< - - - - -

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the Downloads folder  {C:\Users\Alex\Downloads\FRST64.exe }    to run a custom script .    The system will be rebooted after the script has run. 

Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience.  Please attach the Fixlog.txt with your next reply. 

AFTER completing the custom script, then do a new scan with Malwarebytes !!

As to the suspect USB-pen-thumb drive

Keep that as a separate matter altogether. You can scan it with Malwarebytes and with Microsoft Defender antivirus. BUT you must FIRST press and keep holding the SHIFT-key on the keyboard before & during insertion into the USB connection.

That is a must do.  Then, you can bring up Windows File Explorer.  Find and expand the left-side view-tree of Explorer to expand the view.

Then on the right-side, for that DRIVE letter, use the right-side mouse click and select SCAN with Microsoft Defender antivirus

and have Defender scan that drive.

The again, do the right-click on the drive letter, and select "Scan with Malwarebytes".

Be sure you have any detections removed.

Link to post
Share on other sites

Thank you. The custom-fix run is good. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

[  2   Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.