Reset computer 4 times, still infected

[cyberthegod]

Hey there so pretty much my main computer has been infected for sometime now atleast i just now realized after a program randomly quickly closed on my computer when i was AFK. I reset my computer instantly after this and everything was fine til I noticed it was on my computer again. Pretty much long story short i tried resetting, clearing my partition for all my drives and I believe im still infected even after clearing all my SSDs and losing over 2 years of videos.

I even believe my RDP (VPS computer) is infected aswell cause I keep getting these notifications p.s these only popup on my RDP.

The final reason why I believe I'm still infected on my computer is because whenever I shutdown my PC it always says theres two programs with no name or logo just a .exe file that is preventing my computer from shutting down then it quickly goes away and shuts down 2 seconds later. i'll try and provide a picture next time if I can.

Can someone please help me get rid of this infection completely before I end up throwing away my computer?
 

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop to your reply..

[cyberthegod]

mbst-grab-results.zipthis is the one for my main computer, should i do the same on my RDP and provide you it too?

[Maurice Naggar]

For the other computer, Create ( open) a new separate case & there attach the ZIP report-file.  We only do one computer system on a help-malware-removal-topic. I will study this report here, then get back with you. 

The issue ( of block notices) that started out this case were due to attempted probes from the outside.NOTE the detail "Compromised" external IP address by the Malwarebytes.

The real-time protection of Malwarebytes for Windows is keeping the pc safe.  They will continue to do so, given that you have Malwarebytes Premium.

Here are some general conclusions & some tips.

The blocks are on addresses that are attempting to do a forced  attempt to exploit remote-desktop-protocol.

The Real Time Protection of Malwarebytes for Windows  is actively doing it's job to protect the system.

I  would recommend that if you have a internet-connection-router hardware at home,  that you look over this article
"How to Enable Your Wireless Router's Built-in Firewall"
https://www.lifewire.com/how-to-enable-your-wireless-routers-built-in-firewall-2487668

 
Additionally or alternatively, if this is on Windows 10 PRO or 11 PRO   and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

This Windows version is a PRO edition.  IF you do not use remote desktop access to other outside machines, then I suggest you turn R D P  to Off.

The probers look for PRO or Enterprise editions as a prime potential target for exploitation.

.
Here is how to block a port number in Windows

https://thegeekpage.com/how-to-block-ports-in-windows-10-firewall/

 

How to Change the port number for RDP

https://tunecomp.net/change-remote-desktop-port-windows-10/

 

ALSO see this Malwarebytes support article
https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

In most cases the attempted probes will automatically stop on their own. If it continues you can add the IP to the local firewall to prevent it from contacting the computer period.
If you wish to do so, here is one how-to guide for the Windows software firewall
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/
 

[cyberthegod]

Okay i cant do the router part because thats on my RDP vps. Could you let me know what I should do about my main computer though I think there is hidden malware on it they're probably seeing me type this right now haha

[Maurice Naggar]

 I am  studying this report , then will get back with you. 

[Maurice Naggar]

Please run the following custom script. Read all of this before you start. Please Close all open work.

Once the script-run has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program :  is FRSTENGLISH.exe

Please download the attached fixlist.txt file and save it to C:\Users\solve\Downloads

Fixlist.txt < - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRSTENGLISH and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will reset the Winsock. It will attempt to clear all Cache and history on web browsers. Depending on the speed of your computer this fix may take 40-50 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera + Brave caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

• Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
• Right click on Quarantine > Send to > Compressed (zipped) folder
• Upload the archive in your next reply
• If archive is too big you can upload here > https://wetransfer.com/

Also, look on the Downloads folder or else on the Desktop for a ZIP file whose name includes the date & time similar to this run.

This is only the start. We will do more steps later. Stick with me here until I give the All-Clear.

Thank you!

[cyberthegod]

Quarantine.zip

Fixlog.txt Quarantine.zip Fixlog.txt

[Maurice Naggar]

Windows' System File Checker has made corrections.

Windows Resource Protection found corrupt files and successfully repaired them.

Next actions Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide
( 2 )
Next action step:
Disable ( turn OFF ) Fast Startup
https://www.windowscentral.com/how-disable-windows-10-fast-startup

Then restart the computer

( 3 )

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

( 4 )

I would highly suggest to insure that this pc is all up-to-date with security updates & cumulative updates on Windows. select the Windows Start  button, and then go to Settings  > Update & Security  > Windows Update . and click Check for Updates.
Have much patience.

[cyberthegod]

I did everything up to number 3, whenever I run the Microsoft Safety Scanner it gives me an error and tells me to visit their website. The error reads 

0x8050800C

The system state prohibits the scan from running in a specific user context.

 

they say to restart my computer and run it again but it still doesn't allow me to run it. Could that be the infection stopping it from running?

[AdvancedSetup]

Yes, this is a known issue. It has been reported to Microsoft

 

[Maurice Naggar]

@cyberthegod Put aside the MSERT. And there is no need to fret over the message. There are other tools we can use. 

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[Maurice Naggar]

By the way, after you get all done, we want to be sure you do a check with Microsoft Windows Update.

added note;

The failure exception of MSERT.exe has nothing to do with any existing issue on this machine. This type of exception has happened to others.
It appears that some "releases" of the MSERT are problematic; other versions are not. Plus these exceptions are only a failure ( glitch) in attempting to communicate with the Microsoft cloud server.
Again, that is not due to some "booger" on the computer you have.

Edited March 15 by Maurice Naggar

[cyberthegod]

Here's the eset scan, checked for windows updates and it said something about a Windows Malicious Software Removal Tool so i updated it now i'm up to date

eset scan.txt

[Maurice Naggar]

The ESET Online found 7 compressed files that were either phishing-type threats or a hacktool.
Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.



Drag and Drop KVRT.exe into the Run Box.



C:\Users\solve\DESKTOP\KVRT.exe will now show in the run box.



add

-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\solve\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.



That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"



A new Window will open, select "Run anyway"



A EULA window will open, tick both confirmation boxes then select "Accept"



In the new window select "Change Parameters"

 

• In the new window ensure the following boxes are ticked:
  • System memory
  • Startup objects
  • Boot sectors
  • System drive

• Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

• completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
• Usually, your system needs a reboot to finish the removal process.
• Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230316_103000.klr

• Right click direct onto those reports, select > open with > Notepad.
• Save the files and attach them with your next reply

[cyberthegod]

It doesn't allow me to post .klr files so I uploaded it to the link you gave me before

 

downloads/1709d0389d5377725aa114a3f32cb56a20230315211642/bc0805e8a34290e8c9adf2f0bbaf584020230315211657/a09703 

 

it detected one file that the eset detected before i pressed delete

 

 

[Maurice Naggar]

KVRT did not like "C:\Users\solve\Downloads\Telegram Desktop\Keybank.zip"

You are indicating that you have insured that it is deleted now.

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward. Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes. Next, the Malwarebytes >>Settings >>

Then click the Security tab. Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈 Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window. Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>👉You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected).  <<<<💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

 

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection.
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Web-protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
Incoming block notice can be ignored, the Malwarebytes real-time protection is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.

see this Malwarebytes support article
https://support.malwarebytes.com/hc/en-us/articles/360048565893-Receiving-message-Website-blocked-due-to-compromise

Now then, I do not know to what uses this particular machine is used for. BUT, shutting it down via the Windows menu, and keeping it shut and powered off for a few hours of "radio silence" would be a big help....so that the potential probers "loose the cent".
 

[cyberthegod]

here's the malwarebytes scans

first scan.txt second scan (full scan).txt

[cyberthegod]

Restarted my computer for another windows update and this popped up again I’m pretty sure that’s the hidden RAT

[Maurice Naggar]

Press the RESTART Anyway button and wait until Windows is restarted and ready for use. The results from the Malwarebytes scans are perfectly fine. 

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

[cyberthegod]

system-log.txtmbar-log-2023-03-16 (13-15-54).txt

[Maurice Naggar]

The Malwarebytes "MBAR" anti-rootkit scan tool has found NO malware. That is as I believed to be the case, also based on the other recent scans.
Today, we can re-try the Microsoft MSERT tool.
FIRST find your prior copy of MSERT.exe on your machine, AND Delete MSERT.exe
Now do a new download of it and a new scan run.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

[cyberthegod]

it said it detected 26 threats while running but said there were no threats at the end

msert.log

[Maurice Naggar]

What counts is what is logged in the report MSERT.log.  You have uploaded that report. it found NO actual malware. I ask that you not fixate on the display quirk of that tool. That display quirk is the single regretful fauture of MSERT. 

It is normal for the Microsoft Safety Scanner to show detections during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

The Microsoft Safety Scanner found no virus, no trojan, no malware.

Microsoft Safety Scanner v1.385, (build 1.385.198.0)
Started On Thu Mar 16 13:49:05 2023

Engine: 1.1.20100.6
Signatures: 1.385.198.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Thu Mar 16 14:21:56 2023

 

This is a good point to emphasize not playing online games or games in general, while the case is on-going.
I would also emphasize to reduce the auto-started applications that start with Windows down to the absolute minimum. Which would basically be just security applications.
Apply these principles now from the following How-to
How to perform a clean boot in Windows
https://support.microsoft.com/en-us/help/929135/how-to-perform-a-clean-boot-in-windows

[cyberthegod]

Okay I’ve had my computer in clean boot mode for a few days what’s the next step?