persistent process with a space named "RuntimeBroker .exe"

[Maurice Naggar]

I list 2 tasks here. The first one is just a quick inquiry report. It should run very very quickly & without a restart.

( 1 )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.

The tool will make a log on the Downloads folder (Fixlog.txt) .

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. 

( 2 )

Go to Downloads folder. RIGHT-click on FRST64 and select 

Run as Administrator

and tap ENTER. And reply YES to allow to proceed.  

•  When the tool opens click Yes to the disclaimer.  And be very sure to TICK the box for Addition.txt
• Press the Scan button.

• It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run
• Have patience since the run may take something like 10 or so minutes  (less depending on your hardware speed)
• Close Notepad IF those show up on Notepad.
• Just please Attach the 2 files FRST.txt +Addition.txt  with your next reply.

Edited March 25, 2023 by Maurice Naggar
amended

[Matteo1]

Thanks, I attach the 3 logs created by FRST.

Addition.txt FRST.txt Fixlog.txt

[Maurice Naggar]

Thanks for the FRST reports. Regret that we need to run this new one here. The one before unfortunately had 1 typo. This should run (hopefully ) quickly & without a restart.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.

The tool will make a log on the Downloads folder (Fixlog.txt) .

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. 

IF it does prompt for a RESTART of Windows then do allow it.

Edited March 25, 2023 by Maurice Naggar
amended

[Matteo1]

I attach the last log, thank you.

Fixlog.txt

[Maurice Naggar]

Thank you for the report-log. At your next opportunity, look for this ZIP file and attach the file into a reply

D:\Desktop\25.03.2023_22.05.51.zip

By the way, the last run included a run of Windows' System File Checker, and that reported

Windows Resource Protection: No integrity violations found.

. Just another reminder, Do not make any changes on your own. This next run is just an attempt to find additional information.

1. Please do this special  search.
2. There is the FRST64.exe  tool on the Downloads folder. We will use that to do a search.
3. Find & then start FRST64
4. Type the following ( better yet, use COPY then Paste) into the search box exactly as shown  

SearchAll: windows\runtimebroker

then press the Search Files button. Please wait while the program searches for all entries relating to this , when done a search.txt log will be saved to the desktop. Please attach this log to your next reply.

Another request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

• Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
• Right click on Quarantine > Send to > Compressed (zipped) folder
• Upload the archive in your next reply

Further notes:

The legitimate Windows runtimebroker.exe is a sort of a mediation aspect-tool of the system. For example, it checks  if an app is declaring all of its permissions. It is also known to be used by the OS when system goes into or out of sleep mode or in power saving. Also with system powerdown. RuntimeBroker.exe seems to be, also,  a go-between for Universal Windows Programs accessing the file system.

The exe that you mention has a space in it. That one needs a bit more detail. IF and only IF you do see that again....

then ....

using Process Explorer, when you see the "runtimebroker .exe"  ( the one with the space in the filename)  the Processes column, look carefully and gets its PID number ( that is the process ID number)

then go to a Elevated Powershell prompt and run the inquiry-command listed below
substitute the actual number of your PID number in lieu of 1234 below.  Please remember that !
On the Taskbar Search box, type in

powershell.exe

click the line for "run as administrator". Then enter on powershell window

gwmi Win32_Process -filter 'processid = 1234' | select ParentProcessId

Then, use that "parentprocessID" number to substitute into nnnn below and type that onto powershell window & tap Enter

Get-Process -ID nnnn | Select-Object *

Then if possible get for me a screen-grab-image  ....use ALT + Prtscrn  ( ALT key + printscreen )
 

Cordialmente

Edited March 26, 2023 by Maurice Naggar
emended

[Matteo1]

Good morning Maurice, thanks for keeping following me in this very insidious case! Here you find attached the files you requested and the output by Windows PowerShell, which unfortunately couldn't find a process having as ID that "parentprocessID".

On the other hand, I tried to put in the second string the PID of "RuntimeBroker .exe" in place of the "parentprocessID", and here is what we find out:

25.03.2023_22.05.51.zip Quarantine.zip Search.txt

[Maurice Naggar]

I appreciate getting these files from you. Thank you. It is unfortunate that the "Search" log had no results.
There is a search tool that we will use to look for additional information.
Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop 

Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. 
If prompted by Windows  UAC, please allow it  to run.
If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.

COPY & paste the entire text into the main text box of SystemLook: 
 

:regfind
runtimebroker
:filefind
runtimebroker*
:process
runtimebroker
:service
runtimebroker

 

Click the Look button to start the scan 
When finished, a notepad window will open with the results of the scan. 
A file will be created (on the same folder where you saved SystemLook with the results of the scan, named SystemLook.txt
Please attach  this log in your next reply. 

Edited March 27, 2023 by Maurice Naggar

[Matteo1]

Here is the log, at least it found something, thank you.

SystemLook.txt

[Maurice Naggar]

Thank you. I am in process of seeking advice from colleagues. In the meantime, do not do anything with the file.

[Maurice Naggar]

Hello. Remember the "USB" you had mentioned at the start of the case. Make very very sure that that one is NOT now in a connection to this pc. I want you to be sure that that USB is put away. Do not use it.

Please study this article as a guide to make a special USB-drive and to run the Farbar FRST64 report in a special way.
"Run Farbar Recovery Scan Tool - FRST from Recovery Mode on Windows 10"
https://forums.malwarebytes.com/topic/272765-run-farbar-recovery-scan-tool-frst-from-recovery-mode-on-windows-10/

Your Windows is Windows 10 64-bit
So when making the USB with the Media Creation Tool you just want the 64-bit.
You need to have the use of another Windows pc "if possible"  ( with internet connection ) to make / build the USB-thumb-pen-flash drive
You need a USB pen-flash-thumb drive with a capacity minimum of 8 GB. If you have such as USB keep in mind that it will be over-written so it should be a new one or else one that can be re-purposed.

The main goal of this exercise is to boot the pc from the special USB, then to get into the Windows Recovery Environment, and from there to make a special run with FRST64
and then later, to post back with attachments of FRST.txt & Addition.txt

[Matteo1]

I am following the instructions, but when I am into the Windows installing procedure from the USB drive, the combination of shift and F10 keys doesn't return anything, so I am not able to access the command prompt in that way. How should I open it from that screen?

(My pc is a Dell Inspiron 5570)

[Maurice Naggar]

First, go slow and careful. When you reach this screen

 

Tap on the button NEXT  and wait for this following screen

 

where you will press the R -key on keyboard to select REPAIR your computer

( notice the Repair is the option at bottom of that screen)

which then should get you to the X:\Sources command prompt  ( which is the Windows Recovery Environment)

after which you launch the FRST64

NOTE: On the first screen, obviously you pick your own choice of language. The own shown here is only a sample.

Edited March 28, 2023 by Maurice Naggar

[Matteo1]

This is the FRST file created in that way. Unfortunately, it didn't create any "Addition.txt" file with those options.

FRST.txt

[AdvancedSetup]

Farbar does not create an Additions.txt log file in the Recovery Environment. That is to be expected.

 

[Maurice Naggar]

Thanks for the FRST report. I noticed before, and there is now, an application WinSoft Update Service that has lots of Python modules.
What do you know about this?
Is this system used for special research, or software development?
There is a good possibility that the "file at issue" has some association with a Python module.

This report does show a scheduled task associated to that WinSoft Update Service ( uses Python ).
That said, I am not of the opinion that an actual infection is on this system.
I plan to work-up a short custom-fix-script to do a small cleanup.
Keep the special USB made with the Media Creation tool safe. It is a very useful lifesaver. If not done so already, Windows should be back in normal mode.

[Maurice Naggar]

Further to my post above:
This custom-script is mainly to do some housekeeping in the registry and on the Windows Prefetch. There are some 10 registry entries that do not belong, related to Explorer File Extension handling for file extensions

.com
.it
.jpeg
.jpg
.png

This script will also remove copies of runtimebroker in the Windows Prefetch cache. It will also run some new checks with the Windows System File Checker. 
It will also remove the scheduled Task for WinSoft Update Service on the presumption that its use of some Python element is what triggers the exe "runtimebroker^" with embedded space. This should run (hopefully ) quickly. It does do a Windows RESTART at the conclusion.

Please run the following custom script. Read all of this before you start. Please Close all open work.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt< - - -

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.

The tool will make a log on the Downloads folder (Fixlog.txt) .

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.  
NEXT steps. Very much want to see this system upgraded to the 22H2 build of Windows 10
I would highly suggest to insure that this pc is all up-to-date + has 22H2. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[Matteo1]

5 hours ago, Maurice Naggar said:

That said, I am not of the opinion that an actual infection is on this system.

Very luckily, I don't realise to have this process active in the background on my pc, unless I connect a flash drive to it (which I haven't done since this problem arose). That's the point. As I explained in my very first post, this "malware" or shortcut virus or whatever has the capacity to create fake links to the drive on the drive itself, and doesn't let you see the files on it. Besides, as we have experienced for a month, it is able to install on the pcs from the flash drive and to replicate itself to other drives that get connected after.

I have never heard of, neither installed on purpose "WinSoft Update Service". Making a quick search on the web, I found it is responsible for the creation of links on USB drives... I am confident we are close to the solution. In fact, after the last fix by FRST, the process "RuntimeBroker .exe" hasn't started at both reboots I made! I thank you very much for this! The file is still present in C:\Windows, but with the date of the last reboot before this fix. Maybe now we should delete that file and everything related to WinSoft Update Service(?) I notice also a folder called "pyt37" under C:\Program Files (x86), which seems to me related to that WinSoft. I wait for other guidance and I thank you again.

By the way, I also upgraded Windows 10 to the 22H2 build.

Fixlog.txt

[Maurice Naggar]

Are you the sole user of this Windows system?
Is it possible some other user would have done a install ?
Do you happen to do any work with Python on this machine?

Download and save on the desktop and (only then) install Revo Uninstaller free
http://www.revouninstaller.com/start_freeware_download.html

Double-click Revo Uninstaller to run it.
In the list of programs, double-click on "WinSoft Update Service" if it is found (if it is not found, then stop and exit Revo)

When prompted to uninstall, click Yes.
Make sure the "Moderate" option is selected, and then click Next.
The program will run, If you are prompted again, click Yes
When the built-in uninstall program is complete, click Next.

Once the program has searched for leftovers, click Next.
Check / check only the bolded items in the list, then click Remove
When you are prompted, click Yes, and then click Next.
Put a check on the found records and select delete
When prompted, select yes, and then click Next
When finished, click Finish.

( 2 )

I also would appreciate this report:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

( 3 )

I would like a new report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

NOTE:

Before this point, I had you run many, many scans.  I do not see a current real infection on this machine.
Here is a list of some of the scans done on this machine
DrWeb CureIt
Sophios Scan and Clean
Microsoft Safety Scanner MSERT
Malwarebytes MBAR anti-rootkit
TrendMicro Housecall
Kaspersky KVRT
ESET Onlinescanner
Auroruns

There is a quirk of some kind with the 1 file at c:\windows\runtimebroker^.exe but we do not view it as malicious.

While it does not normally belong at that or any location, it is NOT the same as all the other cases we have had that did have the rogue "runtimebroker.exe". This case here is not the same. Not the same at all.

[Matteo1]

12 hours ago, Maurice Naggar said:

Are you the sole user of this Windows system?
Is it possible some other user would have done a install ?
Do you happen to do any work with Python on this machine?

Yes, I am and don't use Python to program. I am almost sure I caught that "file" in a school pc where I inserted my USB drive, which from that moment on, when connecting it to my pc, showed just the fake link to the drive itself and not the original files. When I first clicked on it, it appeared a UAC message by RuntimeBroker: I pressed NO, then the message appeared again, but if clicking NO the UAC appeared again and again, leaving no possibility to use the pc, unless pressing YES (this doesn't seem to me a normal behaviour by a clean file/process), which unfortunately I finally did. That action probably installed on my pc "WinSoft Update Service", responsible for the generation of "RuntimeBroker .exe" in C:\Windows and its related process. At that time, I then connected another USB drive to that pc to see if the problem affected even that one, which then immediately made the same joke of the other, showing the fake link to itself. I then connected that one to my other pc... and infected that as well. So... I don't know how we should call that file/process if not a virus/malware, since as far as I know the characteristic of spreading from one device to the other, carried by USB drives, is tyical of some types of virus.

That said, looking in the other pc C:\Program Files (x86) folder, the same two suspect folders are present: "pyt37" and "WinSoft Update Service". Guess what? Both created on February 25, exactly the same date in which they were created in this pc, that is the day when I connected the infected pendrive to the pcs.

 

Revo Uninstaller couldn't find "WinSoft Update Service" in the list of programs, as well as it is not visible in the control panel's list. I attach the two logs you requested, thank you.

mbst-grab-results.zip FSS.txt

[Maurice Naggar]

Open an elevated Powershell window i.e. run Powershell Prompt as an administrator .

On the Taskbar Search box, type in

powershell.exe

click the line for "run as administrator"

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that Powershell prompt,  Copy & Paste this command

Remove-Item -Path "C:\Program Files (x86)\WinSoft Update Service" -recurse -force

press Enter-key on keyboard   and watch & write down the result.
I would like to know the result. I do expect it will do the job of removing that specific folder and any of its sub-folders.
Close the Powershell windows when completed.

As to any poisoned-infected USB-pen drives you had used in the past, they are not now connected to this machine. I will have more to say on that later.
As to Winsoft and their software, we must be very careful to not cast aspersions or blame for what was seen on this Dell machine ( which by the way, currently does not have a infection).
Winsoft is a legitimate software company. It is known for making instrumentation applications.

Next step
I had you run the MBAR anti-rootkit tool on 2 March. And now, as I look back on the original first Farbar reports, I notice that Microsoft Defender had caught and stopped a hacked version v3.4.5.2467 of Malwarebytes ( pirate version). Pirated software is a leading cause of serious infection.
I would urge you highly to stay far away from hack / cracked software of any sort. Whether a so called free program or free game, or whatever.
Hidden risks in pirated software
https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/

Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & filesharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

DON'T FALL FOR THE MONEY-SAVING LURE OF CRACKED SOFTWARE
https://scambusters.org/crackedsoftware.html

3
I would ask you to use the Malwarebytes Support tool which you already have
to have the tool uninstall ( if there is a old residue of it) & re-install the Malwarebytes for Windows.
Use this support article as a guide https://support.malwarebytes.com/hc/en-us/articles/360039023473-Uninstall-and-reinstall-Malwarebytes-using-the-Malwarebytes-Support-Tool

Skip line 1 for download.  Locate where you saved it & use it.
Have infinite patience after the Reboot ( restart ) and just wait till the prompt window comes on
Reply YES when prompted to re-install Malwarebytes

After Malwarebytes is installed, launch it and run a Scan. Advise me of the result.

4

Current DNS Servers: 192.168.1.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPV4 & a 2nd pass for IPv6

• Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
• Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
• OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
• DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

[Matteo1]

I succesfully deleted the WinSoft folder in C:\Program Files (x86) and the Malwarebytes scan found no threat of any kind. I think you have now solved this very tricky issue on my pc. Thank you very much for your patience in following me all this time!

[Maurice Naggar]

You are welcome. One bit of housekeeping:
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center
Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off  .... be sure that line's radio-button selection is all the way to the Left. thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

Next set of tips

( 2 )
At this point, make time and do a BACKUP of this system on some media that is external to your machine. Like a clean large external Backup device or even to a cloud service.
See https://forums.malwarebytes.com/topic/136226-backup-software/
( 3 )
As I noted before, Save and keep very secure that USB that was made by the Media Creation tool. It is a real life-saver.
( 4 )
You mentioned I believe one or two pen-flash drives that are the sources of infection. Keep those isolated until you deal with them.
I have more advice below. Just keep in mind I just provide the overall high-level advice. I will not do hand-holding about them.

( 5 )
I'd suggest you to follow the steps listed here in order to disable autorun on an external USB drive.
1.Open AutoPlay by clicking the Start button , and then clicking Control Panel.

or
In the search box, type

autoplay

, and then click AutoPlay.

2.To never see the AutoPlay dialog box, click
"Take no action"
next to the device or disc.
OR ELSE
To choose an action each time you plug in a device or insert a disc, click
"Ask me every time."

You can have more detailed how-to-advice from this article "How to Disable Autorun in Windows"
https://www.wikihow.com/Disable-Autorun-in-Windows

The Shift key on the keyboard is a so-called control key. A very handy & useful one. The Shift key is typically located in the second row of keys from the bottom on the far left, above the Ctrl key. There is a ⇧ symbol on the key. Most keyboards have two shift keys

A very important and crucial tip relating to the way one connects USB-flash-pen devices:
BEFORE sliding into the USB-seat-connector
PRESS and keep depressed the SHIFT key on keyboard & only then slide the connector of the device in.
Once fully seated, release the Shift key.
If you hold down the Shift key, the AutoRun task ( IF it has one ) will not be executed on the drive.

As to the suspected "pen-flash-USB" devices
Have you checked the drive for an "AUTORUN.INF" file? If it has one, rename
or delete it to prevent the drive from auto-running.

In addition, or perhaps as a first, step, consider what there is on the suspect device. Whether it is worth keeping the contents.
If it has no valuable content, then REFORMAT the device.

IF the device has content that you must keep, it is urgent that before you do anything with the contents, that you take active measures to scan that device  ( specifically a Custom scan to that drive) using multiple scanners. Those include
Microsoft Defender Antivirus
Microsoft Safety Scanner
ESET Online scanner
 
( 6 )
I have no idea what you used to have on the infected pen-flash devices. BUT any sort of game is not worth it. Any sort of cracked or hacked app is not worth the risk.
If you used to share stuff with a fellow student or colleague, be extremely careful what you get or use or run.
Anything you obtain from the outside has to be scanned and checked with antivirus ( unless you are getting it from Microsoft or else a known safe trusted publisher).

 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you