Possible virus pretending to be windows defender

[NuggetMcSqueak]

So today I was watching a Youtube video and I noticed everything started getting extremely slow and things became very delayed, even just moving my mouse, I opened task manager which took several seconds and saw "Antimalware Service Executable" using 80% of my disk, which is strange as I don't recall starting a scan or anything.
Upon searching it up people are suggesting it's either an error with windows defender, or a virus that may be acting as windows defender. I've ran a full scan with windows defender and am running one with Malwarebytes currently but neither seem to be finding anything.

Does anyone know how to fix this? Any kind of help would be greatlyyy appreciated.

[1PW]

Hello @NuggetMcSqueak and welcome back:

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, and even though you may have run the following Malwarebytes utility, or its subsets, please carefully follow these instructions:

1. Download the Malwarebytes Support Tool.
2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
4. Run the MBST Support Tool.
5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

[NuggetMcSqueak]

Here is the log the support tool generated.

mbst-grab-results.zip

[Maurice Naggar]

Hello  @NuggetMcSqueak

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.
• Kindly allow me a bit of time to review your report.

[Maurice Naggar]

• This ps has McAfee® Personal Security installed. Is it a paid-for license? or is that a trial?

 

• Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

[Maurice Naggar]

AFTER completing the steps listed above, this is what to do next.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select View → Show → File name extensions

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRSTENGLISH.exe

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

 

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will rebuild the Winsock. Depending on the speed of your computer this fix may take 45-50 minutes or more.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. There will be much more to do later.

[NuggetMcSqueak]

Here are the logs from both scanners.

Fixlog.txt SecurityCheck.txt

[Maurice Naggar]

Thank you. 😃 Very good run 👍 Microsoft Defender antivirus is running, is up-to-date, and all its protections are enabled.

I also would appreciate this report:

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

Edited March 7 by Maurice Naggar

[NuggetMcSqueak]

Ok I ran the program and here is the log, was it supposed to finish so quickly?

FSS.txt

[Maurice Naggar]

The FSS report run does not take a bunch of time. The Microsoft Defender is in a good state.

Do a custom scan with Microsoft Defender Antivirus :

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

[NuggetMcSqueak]

Ok I'm running a scan now, here is an example of the issue I had before, it hovers throughout 65%-75% cpu usage when running a scan. Is this normal or this just an error?

[NuggetMcSqueak]

The scan just finished it says no threats found.

[Maurice Naggar]

Hi. Very glad to read the scan result. As to the screen grab above, the very key words are "during a scan run of Microsoft Defender antivirus". Yes that is normal during a on-going scan of MS Defender.
As to when there is NOT a scan on-going, like during idle or lightly loaded system, the percentahe of system use would be a lot lower.
Thus, if the screen capture is during a scan, this is normal.
By the by, while in Task Manager, if you do a RIGHT-click on Antimalware Service Executable" and select "Properties" you would see the executbale name of msmpeng.exe on the folder location C:\Programdata\Microsoft\Windows Defender\Platforum\4.18.nnnn.n
That is the engine executable of MS Defender antivirus.

[NuggetMcSqueak]

Oh ok, that makes sense, thank you so much for your help by the way

[NuggetMcSqueak]

So I was just completely overreacting, I probably have just never thought to check task manager during a scan, so it seemed strange, and also is 95% cpu usage also normal during a scan, cause I was just running another scan just to double check, and it's hovering right around 90-95% cpu.

[Maurice Naggar]

A standard quick scan with Microsoft Defender should be just a few minutes in duration. And as to the percentage, it would fluctuate up and down. It is not like the percent in use is 90+ all day long. A strong caution I would advise to everybody, is to be cautious when looking at Task Manager stats.

As a separate bit of curiosity, when is this that you look at Task Manager? is this in the wee hours of the day?

As a separate data point, the quick scan by MS Defender on the 6th of March took just under 1 minute.

[NuggetMcSqueak]

Oh I only check task manager whenever I notice any kind of lag, or if somethings slower than normal, which is typically only when I'm on my computer around 5-8pm

[Maurice Naggar]

This is a follow-up on the SecurityCheck report. These are what you need to take action on.
I would suggest that you insure to have Version 4.5.24.248 of Malwarebytes.
Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

Microsoft 365 - en-us v.16.0.16026.20200  Warning! Download Update
How Install Office updates?
 
Discord v.1.0.9008  Warning! Download Update
 
Chaos Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it  

Razer Cortex v.10.5.7.0 Warning! Suspected demo version of anti-spyware, driver updater. Uninstall is recommended

As to s-l-o-w or lagging computer
there are several areas that you can look into.
Here are a few links to handy articles
Please know that a slow condition can be due to non-infection factors.

See https://support.microsoft.com/en-us/help/2746761/how-to-speed-up-your-slow-computer

See Miekiemoes blog article on slow computer situation
https://miekiemoes.blogspot.com/2008/02/help-my-computer-is-slow.html

also, at Bleepingcomputer
https://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop.

Your system is good-to-go. There is no "infection".
Sincerely.
 

[NuggetMcSqueak]

Sorry, I was very busy for a few days but alright, and thank you so much for all your help!

[NuggetMcSqueak]

Also will the Kprm tool delete apps such as Razer cortex that were previously flagged? Cause both apps that were flagged are apps I trust

[Maurice Naggar]

KPRM only removes the security tools/report tools I had you use. If you have a concern about installed programs Razer Cortex or Razer Synapse and do not want them, look in Windows installed programs list and remove as desired. https://support.microsoft.com/en-us/windows/uninstall-or-remove-apps-and-programs-in-windows-4b55f974-2cc6-2d2b-d092-5905080eaf98

[NuggetMcSqueak]

kprm-20230315131818.txt

Here is the log, and alright

[Maurice Naggar]

I am glad to have worked with you.

Delete mb-support-1.8.7.918.exe
Delete mbst-grab-results.zip on the Desktop.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you