Jump to content

Did a factory reset after Windows defender detected a trojan, am I clean?


Go to solution Solved by AdvancedSetup,

Recommended Posts

I noticed some weird behavior on my PC, some odd popups and whatnot. I ran a full scan with windows defender and it found a trojan. The software seemed to be messing with windows defender because there was nothing in protection history and my settings kept being changed for windows defender. I did a malwarebytes scan at the time, and it did not detect anything. This PC is mainly used for gaming, so I decided to just do a factory reset with the Dell SupportAssist OS recovery. I used a USB to back up some files while in recovery mode, and reset the OS, opting to delete all settings and data.

After the reset, my C: drive was reset but my D: drive was not. I manually deleted everything on there. Some things must have remained because my background image is still the same. Scans show up clean on both windows defender and Malware bytes. I have, however, noticed that periodic scanning keeps being turned off.

image.png.9bc82a367e7abeaa60bf15121e17276c.png

Is this behavior malicious? How do I know that I am clean?

Regarding the USB files, it it safe to return them to my computer? I moved them over to my macbook.

I did both a standard and full scan using malwarebytes and have both logs attached.

 

Thanks in advance.

FRST.txt Addition.txt scan.txt full_scan.txt

Link to post
Share on other sites

Thank you for your help! Should I be worried that the D: drive was not formatted, and format it then do another factory reset?

How do I tell if the USB files are safe? I don't want to submit it to virus total as some documents are sensitive.

Link to post
Share on other sites

6 minutes ago, Canvas said:

Should I be worried that the D: drive was not formatted

NO,

You can format D from within Windows if you have not done that already.

 

7 minutes ago, Canvas said:

How do I tell if the USB files are safe?

Scan them with Windows Defender/Security.

Link to post
Share on other sites

I have formatted the D: drive and am scanning the Files i saved form the USB. Thank you for your help.

So based of your responses, I don't have anything to worry about, correct?

What are the normal symptoms of malware infection that I should look out for in the future?

Link to post
Share on other sites

  • Root Admin

Please run the following ESET Online Scanner and perform a Full Scan @Canvas

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

Good, let's go ahead and run the following

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

Link to post
Share on other sites

  • Root Admin

That's good. Okay, please run the following

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following

Dell SupportAssist v.3.13.0.236 Warning! Download Update
Microsoft Teams v.1.5.00.30767 Warning! Download Update

 

Once that has completed, please restart the computer. Then check for Windows Updates and install any security updates found.

 

Keep me posted, please

 

Link to post
Share on other sites

  • Root Admin

What about Widows Updates?

How is the computer running now?

Let's do a Clean Removal and reinstall of Malwarebytes if you're still having issues with the program.

 

 

Can you please do the following?

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click the CLEAN button and follow the onscreen instructions to reinstall Malwarebytes
  • NOTE: Please have patience as it can take a while to remove and reinstall.
  • Once the reinstall has completed, please restart the computer

After the restart please do the following

Open Malwarebytes, go to Settings, General , click to check for updates, then from the main screen, run a new Threat Scan and post back that new log.

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Probably not, we'll have to check a bit further. Let me get a new set of logs please.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

This is showing in the Event Logs

 

==================== Faulty Device Manager Devices ============

Name: DellInstrumentation Device
Description: DellInstrumentation Device
Class Guid: {e1c7dabe-63de-4630-a4de-a4adc0503be3}
Manufacturer: Dell Technologies
Service: DellInstrumentation
Problem: : This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)
Resolution: Update the driver

 

 

Then you have the following. Did you update the Network Drivers earlier today?

Application errors:
==================

Error: (01/19/2023 12:26:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: xTendUtility.exe, version: 2.0.11.0, time stamp: 0x5daf3397
Faulting module name: xTendUtility.exe, version: 2.0.11.0, time stamp: 0x5daf3397
Exception code: 0xc0000409
Fault offset: 0x000000000004b79d
Faulting process id: 0x1670
Faulting application start time: 0x01d92ba514791e52
Faulting application path: C:\Windows\System32\drivers\RivetNetworks\Killer\xTendUtility.exe
Faulting module path: C:\Windows\System32\drivers\RivetNetworks\Killer\xTendUtility.exe
Report Id: 97e75949-a15b-4cfd-bc91-5cdc93c868e4
Faulting package full name:
Faulting package-relative application ID:

Error: (01/19/2023 11:43:42 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FirmwareTPM.exe, version: 1.1.1.1, time stamp: 0x63a4510c
Faulting module name: VCRUNTIME140.dll, version: 14.32.31332.0, time stamp: 0x4fbfc837
Exception code: 0xc0000005
Fault offset: 0x0000341e
Faulting process id: 0x33ac
Faulting application start time: 0x01d92b9f1420f25e
Faulting application path: C:\Windows\TEMP\inv8364_tmp\FirmwareTPM\FirmwareTPM.exe
Faulting module path: C:\Windows\SYSTEM32\VCRUNTIME140.dll
Report Id: 53f08d1c-d46c-406d-8842-8592b00421d0
Faulting package full name:
Faulting package-relative application ID:

Error: (01/19/2023 11:43:20 AM) (Source: MsiInstaller) (EventID: 1013) (User: NT AUTHORITY)
Description: Product: Killer Ethernet Performance Driver Suite UWD -- A newer version of this application is already installed on this computer. If you wish to install this version, please uninstall the newer version first. Click OK to exit the wizard.

Error: (01/19/2023 11:42:46 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: FirmwareTPM.exe, version: 1.1.1.1, time stamp: 0x63a4510c
Faulting module name: VCRUNTIME140.dll, version: 14.32.31332.0, time stamp: 0x4fbfc837
Exception code: 0xc0000005
Fault offset: 0x0000341e
Faulting process id: 0x2b7c
Faulting application start time: 0x01d92b9ef2ce68aa
Faulting application path: C:\Windows\TEMP\invA940_tmp\FirmwareTPM\FirmwareTPM.exe
Faulting module path: C:\Windows\SYSTEM32\VCRUNTIME140.dll
Report Id: b4b825b3-78c2-44b7-ae19-066838a8d5ec
Faulting package full name:
Faulting package-relative application ID:

 

 

Maybe see if you can run the Dell SupportAssist tool again and have it double-check for any updates.

 

Please save the attached FIXLIST.TXT file as before to the same location as the Farbar program.

Then run Farbar with Admin rights and click on the FIX button.

fixlist.txt

Post back the new FIXLOG.TXT file.

 

 

Link to post
Share on other sites

When i tried to update support assist, I assumed I would be able to do so through another application "Dell update" This updated a diver, from memory it was related to the killer audio driver. Dell support assist currently says I have no updates.

When i restart after the fix the popup doesn't appear anymore. Fixlog.txt

 

Thank you so much for your help and patience. I've subscribed to premium to support Malwarebytes. It's amazing this service exists for free.

Link to post
Share on other sites

  • Root Admin

How is the computer running now?

If no obvious issues, perhaps run it for a couple days and reboot a couple times and see how it works.

Then run the Farbar scanner again and post back new logs and we'll see if any new Events are being logged or not.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.