persistent process with a space named "RuntimeBroker .exe"

[Matteo1]

Hello, I took a USB shortcut virus on a pen drive and unfortunately I infected 2 pcs!

It all started when I connected my USB pen to my pc (the pendrive had been connected to a school pc that morning) and the pendrive contained a fictitious link to the pen itself, without showing the files on it. I clicked on the link and it appeared a Windows User Account Control message in the name of "Runtime Broker". When clicking "No", the message kept appearing over and over again and couldn't do anything. I finally pressed the "Yes" button... This installed a virus (malware/rootkit?) on my pc: I found out it replicates in "C:\Windows\RuntimeBroker .exe", but after quitting the related process in task manager ("Runtime Broker (32 bit)") and deleting the file in C:\Windows, at the next reboot the process and the file are back, and so the link on the USB drive. So there must be another file or key which produces the fictitious "Runtime Broker" at any reboot of the computer (and is also able to infect connected USB drives). I scanned the pc with Windows Defender, Malwarebytes, Eset NOT32 and UnHackMe: none of them is able to detect the virus at the root of the infection!

Please kindly help me find a solution to disinfect my pcs 🙏

I think it is the same situation as in this topic, but the file "Fixlist.txt" posted in the solution isn't available: Super resilient Malware or something...PLEASE, help with fixlist! - Resolved Malware Removal Logs - Malwarebytes Forums.

Thank you for the help and time.

 

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.
• Be sure to put that USB-pen-drive away to the side.
• Only one pc to a case please.  Pick one pc for which we will work here on this pc.

[Maurice Naggar]

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on FULL scan  
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[Maurice Naggar]

@Matteo1 Notations.

• Do not attempt to self-medicate on this computer. 
• Do not do anything on your own without first checking with me and waiting for my guidance. 
• The trojan pest "runtimebroker" changes & evolves over time as the bad guys do make changes.
• Do not even consider getting anyone else's "fixlist". The script are customized to the conditions on each machine.
• Also know that the malware has most likely messed with and neutered the Microsoft Defender antivirus.
• I will custom guide you. Please have much patience.
• Do not do any web surfing. No social media. No shopping. No banking. Stay out of Discord or any other instant messenger-app.
  

[Maurice Naggar]

For AFTER the Eset Onlinescanner has finished
Please continue to have much patience. There is not a single-shot quick solution for this malware.
Plus it takes a few other additional scans in order to reach a point where we can say that there is no more infection.
I believe you are probably located on the other side of the planet from where I am.
I am listing below 2 or 3 next actions to take

• If this is a Windows 10 machine:
  Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
  Please use this Guide
  

• IF this is a Windows 11 machine:
• Take these actions so that Windows 11 is set to show all hidden files and folders.
• Open File Explorer from the taskbar.
• Open File Explorer from the taskbar.

• Select View > Show > Hidden items.

• Select View → Show → File name extensions
  

( Step 3 - this should take something like less that 15-20 minutes)

• I would like a report set for review. This is a report only.
• Please download MALWAREBYTES MBST Support Tool 
• Once you start it click Advanced >>> then Gather Logs
• Have patience till the run has finished.
• Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop to your reply..

( Step 2 - this should take something like less that 45-50 minutes or so)

AFTER completing the steps listed above, this is what to do next.
Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRSTENGLISH.exe

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. This will attempt to look for rogue files in 3 specific areas, for files named "runtimebroker".
It will rebuild the Winsock. It will clear out temporary files. Depending on the speed of your computer this fix may take 45-50 minutes or more.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. There will be much more to do later.

[Matteo1]

Thank you very much @Maurice Naggar for the support! I'm attaching the 3 log files of the scans:

• scan_report.txt is the report of Eset online scanner (which found nothing)
• mbst-grab-results.zip from the MBST support tool;
• Fixlog.txt from Farbar.

Thanks again, I'm waiting for further steps.

scan_report.txt mbst-grab-results.zip Fixlog.txt

[Maurice Naggar]

Windows Resource Protection: found corrupted files and repaired them.
This here is the second custom-fix-run. [/b]
 

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRSTENGLISH.exe

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. 

( Step 2 )

This next scan will take many many hours because we want to do a Full scan of all drives. It is important to do. 

[  Do a Full scan with Microsoft Defender Antivirus ]

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select FULL scan  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Edited March 1, 2023 by Maurice Naggar

[Matteo1]

Thanks again, I'm running the full scan with Microsoft Defender. In the meanwhile, I attach the log output of the second custom-fix-run.

Fixlog.txt

[Matteo1]

The full scan by Microsoft Defender has just ended, without finding any threat:

[Maurice Naggar]

Thank you. There is one executable file named ScreenDim.exe under C:\Program Files (x86)\ScreenDim\ that will need some addittional scanning.
Do you happen to know anything about this "Screendim" ?

Overall this custom run is good. My expectation is that there have been no new flagging or mentions by security programs about "runtimebroker".
If today you have some warnings on this machine, then let me know.

I am glad to read just now that the Microsoft Defender antivirus reported no virus, no malware.
For purposes of identification, this Windows machine is the  Inspiron 5570 labeled "DESKTOP-QQA1GSI ".

As to the USB pendrive you mentioned at start of case....I hope it is not attached here. That it is disconnected.
Let me know what you plan to do about that USB. Just be very sure that before you connected it to a machine, that you FIRST press and HOLD the SHIFT-key on the keyboard before you begin the slide into the connection and KEEP holding SHIFT until it is fully seated.
Pressing and holding the SHIFT-key that way prevents any applications / executables for auto-launching off the USB.

You would have to scan the USB with several security apps to be sure it has no malicious infectors before using it.
Or perhaps you want to wipe it and just Reformat that USB device.

I am going to list a new scan for this Dell so that we have a further checkup for any leftover malware,

Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\matte\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\matte\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230302_103000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply

You had mentioned at the start, perhaps you had another Windows machine that was infected ?  Is that right?  If the answer is yes, and you need help on it, then I would suggest you create a new different / separate help request & then bring it to my attention.

Edited March 1, 2023 by Maurice Naggar

[Matteo1]

Thanks Maurice, unluckily the virus that originates "RuntimeBroker .exe" in C:\Windows and its relative process is still there, because these are still present at each reboot of the pc. I have now deleted the file named "ScreenDim" too, but still nothing changed. Nevertheless, Windows Defender found nothing...

Now I'm trying to run even a Kaspersky scan, let's see...

[Maurice Naggar]

I have questions. What exactly is flagging "runtimebroker" ?  ( 2) what is the exact PATH location? (3) One thing you must keep in mind, there is a legitimate system file at c:\windows\system32\runtimebroker.exe

I am trying to get you to  explain just what "security program" has identified a threat, if any. Is it Microsoft Defender ? that would not be so because you had just finished a scan with Microsoft Defender. I await the result from Kaspersky KVRT.

[Matteo1]

Hi Maurice, I don't know what does the verb "flag" mean in the informatic context. As I wrote, the location of the malicious file "RuntimeBroker .exe" is C:\Windows. This file is of course a virus (I found many other cases on the net, but no solution unfortunately), which is responsible for the creation of a fictitious link of the pen drive itself on the pen drive and is able to replicate itself and infect other pcs through the USB drives. This works exactly as explained in my first message.

Now, I have to say that during the previous scans I deleted this file because I would like the antivirus to detect the original file/key which lies somewhere hidden in the pc and generates the "RuntimeBroker .exe" file in C:\Windows at any reboot of the pc. That's the point, it self-generates and no antivirus till now is able to detect why.

(By the way, even the Kaspersky scan has now ended and has found no malware at all: )

Thank you for your patience, hope there will be a solution!

[Maurice Naggar]

By "flag" I meant what security program, like Microsoft Defender, or Kaspersky, or ESET or other actual security application has tagged or identified a threat from "runtimebroker.exe"?
I am looking for a real security program to identify the threat and then for it to remove it. Or else, by the use of a custom Fixlist that I relay to you.

Yes, we here know very well there are rogue "runtimebroker" trojans out there. But there is also a valid legitimate one at c:\windows\system32\runtimebroker. However not valid if right at C:\windows folder itself. Please leave the deletion and the guidance to me.

I need you to not manually delete the file. I want to ( if we see the file at C:\window ) to upload a sample up to the Virustotal security website.
This is the link where you can upload a copy.
You go to this link https://www.virustotal.com/gui/home/upload
click on the "Choose file" and follow the standard prompt to navigate to where the c:\windows\runtimebroker.exe is on your machine. Be sure the proper one is select and upload to that site.
When you get a screen diagnosis, copy the link address and relay that to me in a reply here.

I want us to do the following. These are other measures. And again do NOT delete files on your own, please.
Next action step:
Disable ( turn OFF ) Fast Startup

https://www.windowscentral.com/how-disable-windows-10-fast-startup
Then restart the computer

• ( Step 2 )

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

 

• ( Step 3 )

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply

( Step 4 )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRSTENGLISH.exe

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. 

Fixlist.txt

Edited March 3, 2023 by Maurice Naggar

[Matteo1]

Thank you very much Maurice, here are the results: the link of Virustotal diagnosis on "RuntimeBroker .exe" is https://www.virustotal.com/gui/file/7bc1qk55vk7wjgzg3pmxlh59rv5dlgewd9jem5nrt4wfba2bd674d28b573fba1fdc.

I disabled fast startup. I attach here both the logs by MBAR anti-rootkit tool (mbar-log and system-log), the Microsoft Safety Scanner log (msert.log) and the Farbar log (fixlog.txt).

Thank you, waiting for next steps

Matteo

mbar-log-2023-03-02 (23-37-15).txt system-log.txt msert.log Fixlog.txt

[Maurice Naggar]

Malwarebytes MBAR anti-rootkit found no threats. The Microsoft Safety Scanner found the remnants of HackTool:Win32/AutoKMS 
This first next step should not take a lot of time.
Sophos scan

You will need to provide Sophos a working email address to get the link to download their tool, please do so.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

• If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
• Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

• Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

• Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

• The Virus Removal Tool scans the following areas of your computer:
• Memory, including system memory on 32-bit (x86) versions of Windows
• The Windows registry
• All local hard drives, fixed and removable
• Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

( 2 )
One other scan here. We want to scan all of the C drive.

TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Note the link to the Virustotal upload does not work for me

 

 
 

[Matteo1]

Try now: VirusTotal - File - 71c9ce52da89c32ee018722683c3ffbc90e4a44c5fba2bd674d28b573fba1fdc

I'm attaching now the log by Sophos scan and clean (which surprisingly analysed ~4 million objects in just 3 min); TrendMicro HouseCall analysed the C drive and found no threat.

Thank you

SophosScanAndClean_20230303_1731.log

[Maurice Naggar]

Dr.Web CureIt is a free stand-alone tool to check for viruses, trojans, and other malware.

At the initial link you will need to consent to their terms and provide a email address ( to which they send you a download link.)

Link for Dr.Web CureIt . 

You will need to provide a email address & tick the box to agree to their terms. you may abbreviate your name on box for first name, last name. Do provide a valid email address because the download link will be emailed to it.

Once you get a Email from Dr.Web and see the download link, click it to begin. Then on next prompt agree to terms & Download.

The download is nearly 265  MB in size. The EXE file will have a series of random letters-number.

IF Edge or Windows Smartscreen prompts you at the download, select KEEP and be sure to SAVE

 

After the download is completed, then close the browser and all other web browsers too.

Use the Windows File Explorer to go to the Downloads folder.

doubleclick on  the download file file to start the tool.     ( drweb will randomize the name of the file when you download it )

⦁    You will see a screen similar to this:

 

 
Click the checkboxes to participate & consent, and then click on Continue button.

⦁    Next

 

 
Click on Select objects for scanning
⦁    Next

 
Put a checkmark by clicking on all the boxes    EXCEPT for

"Temporary files"

"System restore points"

Do not select Temporary files or System Restore points.

Then click on Start scanning button

⦁    The scan in progress will be shown like this

 

⦁    IF something is detected, you will see a screen similar to this

 

 
For each item "detected", click on the Action column down arrow, like this
 

Your options will be Cure or Ignore

IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
Typically, you will keep the Cure default.

Then click on the Neutralize button.

 

⦁    When the actions are completed, you will see this

 
⦁    Click on the green Open Report line. It will pop-up the report in NOTEPAD.
Save the report to your desktop. The report will be called Cureit.log
⦁    Close Dr.Web Cureit. 
⦁    Reboot your computer to allow files that were in use to be moved/deleted during reboot. 
⦁    After reboot, attach the log Cureit.log you saved previously in your next reply. 

 

Have patience in all this

[Matteo1]

Even Dr.Web CureIt found no threat (but the process is still active at each reboot). I attach its log.

Thank you so much. Now I won't be using my pc for some days, then I'll come back to try other solutions, thanks again.

cureit.log

[Maurice Naggar]

A. If you can get a screen-image copy of what you see "as the process" so that I can see what you see, that may help.
B. Cureit reports "There are no infected objects detected".
C. I would like to suggest you do this report run.
 

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
• Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
• Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
• Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
• Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
• 
• Then click the Rescan button. Agree to the VirusTotal EULA
• Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

Other report so I can also review

Please download the correct portable version ( 64-bit) of RogueKiller for your system and save the file to your computer Desktop.

https://www.techspot.com/downloads/5562-roguekiller.html

https://m.majorgeeks.com/files/details/roguekiller.html
 

• Right-click on the RogueKiller file and select Run as administrator to start the tool.
• Click Yes to accept the UAC security warning that may appear.
• Click Accept to agree with the EULA (End User License Agreement) and close the browser tab it will open.
• Now click the Scan blue button and under the Standard Scan (recommended) click on the Scan button.
• When the scan is complete, click on Results button. NOTE: DO NOT delete any found entries. All listed entries will be carefully analyzed.
• Then click on Report button.
• Click Export button and select "Text file".
• Give a name to the file such as RKlog.txt and save it to the Desktop or in a location where you can easily find it.
• Click the Finish button and close RogueKiller window.
• Attach RKLog.txt with your Reply.
• Thank you
• Cheers

[Matteo1]

Hello Maurice, I'm back!

Thank you for your support and patience. This (in light blue) is how the process looks like in task manager.

I attach the logs you requested: Autoruns.zip and RKlog.txt.

Thank you, cheers

Autoruns.zip RKlog.txt

[Maurice Naggar]

it is quite normal for a few occurences of files named runtimebroker.exe to be in Windows OS areas like
c:\windows\servicing\lcu\
and
c:\windows\winsxs\
we do not mess with those. Those are both areas where the operating system stores various system updates.

there is a legitimate Windows file named runtimebroker.exe at c:\windows\system32. that is perfectly legit. on windows 10 that file size in decimal is 103,288 bytes

do not mess with that.

I would suggest you cease looking at Task Manager.
The Autoruns report shows no infection.
The Roguekiller report is of no use. Nothing there.

Before this point, I had you run several scans. And as of then, I do not find a current real infection on this machine.
Sorry, but we need to close this case.
Here is a list of all the scans done on this machine
DrWeb CureIt
Sophios Scan and Clean
Microsoft Safety Scanner MSERT
Malwarebytes MBAR anti-rootkit
TrendMicro Housecall
Kaspersky KVRT
ESET Onlinescanner
Auroruns

You gotta understand, that if there were a actual infection, it would be caught by Microsoft Defender or by Malwarebytes.
I am marking this case for closure.
You can read a bit more about "runtimebroker" at How-to-Geek
https://www.howtogeek.com/268240/what-is-runtime-broker-and-why-is-it-running-on-my-pc/
 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop. 

[Matteo1]

Dear Maurice, I am sorry that you think that no virus exists on my pc, even though I explained clearly what happened to my pc some weeks ago. In my first post on this discussion I described thoroughly the dynamics through which I got the virus on my pc: I caught it from a USB pen that the same morning I employed in a school pc. When I inserted the pen on my pc, and mistakenly pressed "Yes" to a UAC message appearing after I inserted the pen in the pc - cause it didn't allow to press no without the UAC message appearing and appearing again - the virus stored in some misterious directory of the pc that nor us, neither all the antivirus software we tried, were able to discover.

Apparently, there is no way the virus manifests on the infected pc, unless when inserting another USB pen. In that case, the virus on the pc is able to infect the other pen, and pass itself to other computers the pen gets connected to (that's how I unluckily infect my other pc).

The evidence of the process "Runtime Broker (32 bit)" being the manifestation of the virus comes from many sources on the net (feedback by other users) and by your own guidance throughout the posts in this discussion:

1. Note in the last screenshot of task manager I attached that the name of the incriminated process is different from the legal, usual one originated by Windows!! In fact, the Windows processes are just called "Runtime Broker" (multiple occurrences, I know is normal...), but the malicious one has a different name: "Runtime Broker (32 bit)"!!!!
2. When opening the file path of these processes, the Windows legal processes lie in "C:\Windows\System32" (as yourself said about these Windows processes), but the file related to the process "Runtime Broker (32 bit)" lies in the path "C:\Windows", which is of course different, as you pointed out! 
3. As you can see from this screenshot, the file originating the malitious process is called "RuntimeBroker .exe": yes, it has a space in the name, that's why I always wrote like this, while the file at the base of the legal Windows process has no space in the name.
4. In tab "Details" of Task manager, you can better appreciate the difference between the original Windows processes and the malicious one, which again appears with a space in its name!! Once more, opening the path related to that process, it brings to the folder "C:\Windows", while the other ones lead to "C:\Windows\System32"!!!! 
5. The specific scan performed on the malicious file by VirusTotal, that you suggested, find it is clean for the majority of the antivirus software, but at least 2 of them report it as a malware!

Hope that now you convinced that I'm not paranoid but a real threat exists on my pcs.

Now, as back to the starting point of this story, the problem lies in the fact that every time I reboot the pc, even though I delete both the "Runtime Broker (32 bit)" process and the "RuntimeBroker .exe" file in C:\Windows, the file and its connected process re-generate again! So that I cannot connect any external device to the pc, unless I want to infect everything. As I expressed from the beginning, there must be a very well hidden file or key, able to generate the file "RuntimeBroker .exe" in C:\Windows at every single reboot. No antivirus was able to find the very first origin of this, and that's why I think this malware is very very resilient and I am asking support to security and malware experts here. Thank you again

Matteo

kprm-20230320112814.txt

[Maurice Naggar]

Hello. We have run many scanners and checks, and they have indicated no infection. I just have a few suggestions before closing the case and pointing you elsewhere, or otherwise providing the best tips to do a Clean new Windows install from scratch. However, for now a few tips.

First, do a Windows Restart and wait for the system to settle in. From that point on, do NOT play any games of any sort at all. Also, no loose web surfing with web browsers. And stay out of all social media website or apps as much as possible.

Under NO circumstance use any suspect USB thumb-flash drive. We want to have a fresh startup of Windows with minimal programs running. I have 2 tips here.

( 1 )
There is a better app from Microsoft that will function as a much better replacement for the standard Task Manager that comes packaged with Windows.

It is called Process Explorer. Be real sure that you save the file-download to some unique folder of your own naming. That is to say, save the file first to a permanent folder.

 MS Process Explorer.

https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer

 

Once it is saved, with the download completed, close the browser window.

Go to where you save the download.  The file is named Processexplorer.zip

Extract all content of that zip file .   Be sure all are extracted  and that they are in a folder of your choosing.  

Double click the file procexp.exe  to start Process Explorer.

Look at the menu bar of the program.   Select Options.    then click on Replace Task Manager

.

Process Explorer is far superior to the standard Task Manager. IF you see "runtimebroker.exe" do NOT delete it.

Just only want to use Process Explorer, locate that line, and then lookup Properties of that executable. Just do not Delete. Leave it where it is.

( 2 )

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

( 3 )

Download & save a new copy of the tool FRST64.exe from this link. Save it to Downloads 

https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ 

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.

The tool will make a log on the Downloads folder (Fixlog.txt) .

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. 

Edited March 25, 2023 by Maurice Naggar

[Matteo1]

I attach the fixlog file created by FRST64. Thank you

Fixlog.txt