Jump to content

Help creating a Fixlist for Windows 11 using FSRT


Recommended Posts

Hello,

           please excuse any ignorance on my part of this process but I am a relative beginner which is why I am seeking help here. My laptop running Windows 11 has been problematic. I have re-installed Windows many times but seem to have persistent files that slowly but surely lock me out of my system and change permissions. I believe my install is clean this time but woud like assurance using FSRT. I thought the tool would asess and fix on its own but I see now I need to assemle a fixlist and my hope is that someone here might help me to do just that. Thank you in advance for any assistance offered. 

Atlas99

Addition.txt FRST.txt

Link to post
Share on other sites

Hello. First questions. Have you run a scan with Microsoft Defender antivirus ? Have you run a scan with Malwarebytes ? What were the results ?

What files or lockout or permissions issues are there? Specifics would be helpful.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello @Atlas99 The FRST reports do NOT show indications of any infection.

Please set File Explorer to SHOW ALL folders, all files, including Hidden ones. Use OPTION ONE or TWO of this article
Please use this Guide

 ( 2 )

Please run the following custom script. Read all of this before you start. Please Close all open work.

Farbar program :  is FRST64.exe  The tool is there already on Downloads. We will use it to run a custom-script.

Please download the attached fixlist.txt file and save it to Downloads folder

Fixlist.txt < - - -

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Use File Explorer to go to the Downloads folder

RIGHT-Click on   FRST64 and select

RUN as Administrator

and reply YES to allow it to go forward to start.

That is important so that this run has Elevated Administrator rights !!

NEXT press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will reset the Winsock. It will run some scans with Microsoft Defender antivirus. It will attempt to clear all Cache and history on web browsers.It will also turn on The Windows System Restore service (which is currently off),  Depending on the speed of your computer this fix may take 40-50 minutes or more.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.  👈

Link to post
Share on other sites

Ok. I attempted to reply this morning toHello, thank you for taking the time. Yes I have run a can with both Microsoft Defender and Malwarebytes multiple times on several different installations. Only twice were there any issues detected and even those were minor. In general- the slowly receeding access, my browser becomes redirected, antivirus sites become inaccessible, I lose access to regedit and anything to do with the Group Policy. I then become a user rather than an admin on my account.  At least one "unknown account" pops up and my abilities in the terminal become restricted. Programs become renamed so I can no longer run them from Powershell and my login options change. When I reinstalled the first few times there were persistent files that kept making an appearance and were not deletable. Lastly my firewalls rules were often changing and it would become so I did not have access to change them back. I have run Eset, Malwarebytes, CCleaner, Spybot, Glarysoft etc.... the only programs that turned up anything significant were Spybot and Glarysoft. I would then attempt to fix and reinstall. This is the first time my laptop seems to be working properly and I have the access I should. 

Link to post
Share on other sites

Please run the custom-script fix I listed before. Also, do not make any changes or additions or tweaks on your own

https://forums.malwarebytes.com/topic/296302-help-creating-a-fixlist-for-windows-11-using-fsrt/?do=findComment&comment=1560745

Attach FIXLOG.txt with next reply.  👈

Edited by Maurice Naggar
Link to post
Share on other sites

Hello. Thank you for the Fixlog report & this other file. 

Please run the following steps and post back the logs as an attachment when ready
STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.
Edited by Maurice Naggar
Link to post
Share on other sites

Thank you. The Adwcleaner found no adware, no threats.
The Malwarebytes scan is perfectly fine. No malware; no threats.
Do the following:
[ 1 ]
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

[ 2 ]
 The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

      I apologise for not responding sooner but the last test you asked me to run kept being shutdown halfway through and then I was unable to connect to the internet. Everything was fine there for a minute and then it came crashing down all over again. When I finally was able to run the last test you spoke of I could not save or download the results. all options to save were inaccessible. I finally just copied and pasted the thing. I have it listed below from copy paste, it said next to each entry that it hadbeen partially removed. I ran FSRT an hour ago and I am attaching the results of that as well. I ran it the last time with registry in the input box and pressed the Search Registry button so I will include that. I was looking around and found a few log files that were from scans or terminal sessions I did not run - I have included all of it. A recent developement though-yesterday morning I read an article about INTUNE admin and when I went to check it out it said that my admin said I was not authorized to view that content, to check with my admin, and then it kicked me out and said no internet connection. It seems like no matter what I do there is always someone else in control of my system, even when all the anitivirus software says Im clean as a whistle.    Below is the out I could find from the MSERT log

HackTool:AndroidOS/Mesploit.A

HackTool:AndroidOS/Mesploit.B!M

HackTool:AndroidOS/Metasploit.D

Backdoor:ASP/Scadamer.A

Backdoor:ASP/Yorcirekrikseng.A

TrojanDownloader:BAT/Genmaldwn.

Virus:DOS/EICAR_Test_File

TrojanDownloader:HTML/Adodb.gen

Exploit:HTML/CVE-2015-0072.C

TrojanDownloader:HTML/Donoff.SA

Exploit:HTML/Shellcode.G!MSR

Trojan:Java/Classloader.T

Trojan:Java/Cseoek

Exploit:Java/CVE-2008-5353.C

Exploit:Java/CVE-2008-5353

Exploit:Java/CVE-2009-3869.N

Exploit:Java/CVE-2010-0094

Exploit:Java/CVE-2010-0094!MSR

Exploit:Java/CVE-2010-0840!MSR

Exploit:Java/CVE-2010-0840

Exploit:Java/CVE-2010-0842

Exploit:Java/CVE-2010-3563.A

Exploit:Java/CVE-2010-3563.A!MS

Exploit:Java/CVE-2010-4452

Exploit:Java/CVE-2011-3544!MSR

Exploit:Java/CVE-2011-3544

Exploit:Java/CVE-2012-0507

Exploit:Java/CVE-2012-0507!ldr

Exploit:Java/CVE-2012-1723

Exploit:Java/CVE-2012-4681

Exploit:Java/CVE-2012-5076

Exploit:Java/CVE-2013-0422

Exploit:Java/CVE-2013-0431

Exploit:Java/CVE-2013-1493

Exploit:Java/CVE-2013-2423

Exploit:Java/CVE-2013-2460

Exploit:Java/CVE-2013-2465

Backdoor:Java/Dirtelti.A

Trojan:Java/Mesdeh

VirTool:Java/Meterpreter.A

VirTool:Java/Meterpreter

VirTool:Java/Meterpreter.A!MTB

Exploit:JS/Blackhole!MSR

Exploit:JS/CVE-2014-0322.A

Exploit:JS/CVE-2020-16040.B

Backdoor:JS/Dirtelti.MTR

Exploit:JS/Kaixin

TrojanDownloader:JS/Powload.SA!

Trojan:JS/Tabnab.A

HackTool:Linux/AirCrack!MTB

HackTool:Linux/Chisel.A!MTB

Exploit:Linux/CVE-2015-1328.A!x

Exploit:Linux/CVE-2015-8660

Exploit:Linux/CVE-2017-16995.A!

Exploit:Linux/CVE-2021-22555.A!

Backdoor:Linux/Dakkatoni.az!MTB

Backdoor:Linux/Dakkatoni!rfn

Exploit:Linux/Downldr.A!MTB

Exploit:Linux/EDB-40049.A!xp

Exploit:Linux/Enoket!MSR

Exploit:Linux/Enoket.C!xp

Trojan:Linux/Flooder.B!MTB

Trojan:Linux/Meterp.Gen

HackTool:Linux/SAgnt!MTB

Backdoor:Linux/SambaShell.A!MTB

Trojan:Linux/Samblad.A!MTB

Trojan:Linux/Samblad.A!rfn

Trojan:Linux/Smbpayload

HackTool:MacOS/Chisel!MTB

Exploit:MacOS/CVE-2016-5195.A!M

Exploit:MacOS/CVE-2020-9839.A!M

Exploit:MacOS/DirtyCow.E!MTB

Backdoor:MacOS/Emprye.C!MTB

Trojan:MacOS/Empyre.B!MTB

Trojan:MacOS/Empyre.A!MTB

Trojan:MacOS/Empyre.E!MTB

Trojan:MacOS/Empyre.D!MTB

Exploit:MacOS/Lotoor.A!MTB

Backdoor:MacOS/Meddlingmetal.A

Backdoor:MacOS/Mettle

Backdoor:MacOS/Mettle.A!MTB

Trojan:MacOS/Occamy.AA

Trojan:MacOS/Rakkotonak.A

Trojan:MacOS/Shemala.A

Exploit:MacOS/TPwn.A!MTB

Trojan:MacOS_X/Getshell

VirTool:MSIL/ClozFlitr.A!MTB

Exploit:MSIL/CVE-2013-0074.A

VirTool:MSIL/Shapedz.A!MTB

HackTool:MSIL/SharpHound!MSR

Backdoor:MSIL/TurtleLoader.BSC!

Backdoor:MSIL/TurtleLoader.BSD!

Exploit:O97M/CVE-2014-1761.AR!M

Exploit:O97M/CVE-2017-0199!rfn

Trojan:O97M/Madeba.A!det

HackTool:Perl/NiktoSanner.A

Backdoor:PHP/Dirtelti.HA

Backdoor:PHP/Ecsysass

VirTool:PHP/Meterpreter.A!MTB

VirTool:PHP/Meterpreter.B

VirTool:PHP/MetSrv.A!MTB

Backdoor:PHP/Remoteshell.E

Backdoor:PHP/Remoteshell.A

Backdoor:PHP/Remoteshell.C

Trojan:PHP/RevWebshell.YA!MTB

Backdoor:PHP/WebShell

Backdoor:PHP/WeevelyShell.R!MTB

VirTool:PowerShell/Audicious.A!

HackTool:PowerShell/BloodHound

Trojan:PowerShell/BypassUAC!MSR

Trojan:PowerShell/Clicker

TrojanDropper:PowerShell/Cobaci

HackTool:PowerShell/EmpireAgent

HackTool:PowerShell/EmpireGetCl

HackTool:PowerShell/EmpireGetSc

VirTool:PowerShell/Etiquee.A!MT

HackTool:PowerShell/EventVwrByp

HackTool:PowerShell/ExploitEter

HackTool:PowerShell/Inveigh

HackTool:PowerShell/KeeThief

HackTool:PowerShell/Latmov

HackTool:PowerShell/Mimikatz!MT

Trojan:PowerShell/Pklotide.A

TrojanDropper:PowerShell/Ploty.

Backdoor:PowerShell/Powercat.A

HackTool:PowerShell/Powerpuff.A

HackTool:PowerShell/PowerSploit

Trojan:PowerShell/Powersploit.I

Trojan:PowerShell/Powersploit.A

Trojan:PowerShell/Powersploit.H

HackTool:PowerShell/PowerSploit

TrojanDropper:PowerShell/PowerS

HackTool:PowerShell/PowerSploit

Trojan:PowerShell/Powersploit.P

HackTool:PowerShell/PowerSploit

HackTool:PowerShell/PowerSploit

Trojan:PowerShell/Powersploit.J

Trojan:PowerShell/Powersploit.S

Trojan:PowerShell/Powersploit!M

HackTool:PowerShell/PowerSploit

Trojan:PowerShell/Powersploit.L

Trojan:PowerShell/Powersploit.N

Trojan:PowerShell/Powersploit.U

Trojan:PowerShell/Powersploit.M

Trojan:PowerShell/Powersploit.G

Trojan:PowerShell/Powersploit.B

Trojan:PowerShell/Powersploit.O

Trojan:PowerShell/Powersploit.Q

Trojan:PowerShell/Powersploit.T

Trojan:PowerShell/Powersploit.K

HackTool:PowerShell/PowerView

Trojan:PowerShell/PrivzChk.A!MT

Trojan:PowerShell/ReverseShell.

Trojan:PowerShell/Scoures.A!MTB

HackTool:PowerShell/SharpHound.

Trojan:PowerShell/SharpZeroLogo

Trojan:PowerShell/ShellcodeMSIL

VirTool:PowerShell/Shrewd.A!MTB

Trojan:PowerShell/Splitfuse.C

HackTool:PowerShell/Spritz.A!MT

Trojan:PowerShell/WmiRegBasedCo

Exploit:Python/CVE-2020-1472.KS

Exploit:Python/CVE-2022-47966.A

VirTool:Python/Empire.D!MTB

HackTool:Python/Enum4Linux.A!MT

Exploit:Python/Leivion.A

HackTool:Python/Meterpreter!MSR

Backdoor:Python/Meterpreter.C

VirTool:Python/MetSrv.A!MTB

HackTool:Python/Pourri.B!MTB

HackTool:Python/Pourri.A!MTB

HackTool:Python/PWDump.A!MTB

HackTool:Python/PyKerberoast!MS

HackTool:Python/Pypykatz.B!MTB

HackTool:Python/Pypykatz

HackTool:Python/RemoteShell!MSR

HackTool:Python/Smbexec

HackTool:Python/TalkBack.B!MTB

HackTool:Python/WeevelyShell.RC

HackTool:Python/WeevelyShell.RT

HackTool:Python/WeevelyShell.R!

Exploit:Ruby/ProxyLogCollector.

Exploit:Ruby/ProxyLogScanner.A!

Trojan:Script/Metasploit!MSR

Exploit:SWF/CVE-2008-5499.RA!MT

Exploit:SWF/CVE-2010-1297.D

Exploit:SWF/CVE-2011-0611.C

Exploit:SWF/CVE-2011-2110.C

Exploit:SWF/CVE-2012-0779!MSR

Exploit:SWF/CVE-2012-1535.C

Exploit:SWF/CVE-2013-0634

Exploit:SWF/CVE-2014-0497.A

Exploit:SWF/CVE-2014-0515

Exploit:SWF/CVE-2014-0556

Exploit:SWF/CVE-2014-0569

Exploit:SWF/CVE-2015-0318!MTB

Exploit:SWF/CVE-2015-0336

Exploit:SWF/CVE-2015-3105

Exploit:SWF/CVE-2015-5119

Exploit:Unix/CVE-2010-3187.A

Backdoor:VBS/Ace.C

Exploit:VBS/CVE-2014-6332!MSR

TrojanDownloader:Win32/Banload

Trojan:Win32/Bluteal!rfn

Trojan:Win32/Bluteal.B!rfn

VirTool:Win32/Cathar.A!MTB

VirTool:Win32/Cathar.B!MTB

Trojan:Win32/Ceevee

VirTool:Win32/CobaltStrike.A

Trojan:Win32/CryptInject

Ransom:Win32/CVE

Exploit:Win32/CVE-2010-0822

Exploit:Win32/CVE-2010-3653

Exploit:Win32/CVE-2010-3654.B

Exploit:Win32/CVE-2011-0097

Exploit:Win32/CVE-2012-5076

Exploit:Win32/CVE-2013-3906

Exploit:Win32/CVE-2015-3105

Exploit:Win32/CVE-2016-9079

Exploit:Win32/CVE-2018-8120.A

Exploit:Win32/CVE-2018-8453

Exploit:Win32/CVE-2020-0796!MTB

Exploit:Win32/CVE-2020-1054

Trojan:Win32/CVE-2020-1472!BV

Exploit:Win32/CVE2018-9948!ibt

Exploit:Win32/DDEDownloader!ml

Trojan:Win32/Ditertag.A

VirTool:Win32/DrunzPkto.A!MTB

Trojan:Win32/Dynamer!rfn

HackTool:Win32/Elevate.B

HackTool:Win32/Fgdump

VirTool:Win32/Herpaderping.A!MT

HackTool:Win32/Incognito

VirTool:Win32/Inoculate.A

VirTool:Win32/KernelMemMod

Trojan:Win32/Klogger

Trojan:Win32/Leonem

HackTool:Win32/Lsassdump.P

Trojan:Win32/Malgent

HackTool:Win32/Masky!MSR

Trojan:Win32/Metasploit!MTB

HackTool:Win32/Meterpreter.A!dl

Trojan:Win32/Meterpreter!MSR

HackTool:Win32/Meterpreter!MSR

Trojan:Win32/Meterpreter

VirTool:Win32/Meterpreter.B

HackTool:Win32/Mikatz!dha

HackTool:Win32/Mikatz

Trojan:Win32/Mikatz!BV

HackTool:Win32/Mimikatz!MSR

HackTool:Win32/Mimikatz.gen!H

HackTool:Win32/Mimikatz

HackTool:Win32/Mimikatz.D

Trojan:Win32/Occamy.C

Trojan:Win32/Orsam!rfn

Exploit:Win32/Pdfjsc.DB

Exploit:Win32/Pdfjsc.FE

HackTool:Win32/PDump.A

Trojan:Win32/Potatohttploader.C

Trojan:Win32/PowerRunner.A

HackTool:Win32/PowerSploit.A

HackTool:Win32/PowersploitHijac

Trojan:Win32/PSReflectiveLoader

HackTool:Win32/PWDump.C

HackTool:Win32/RemoteAdmin!MSR

Trojan:Win32/Rpdactaele.B

Trojan:Win32/Skeeyah.A!bit

Trojan:Win32/Skeeyah.A!rfn

Trojan:Win32/Skeeyah.A!MTB

Trojan:Win32/Skeeyah!MSR

HackTool:Win32/SpiderShell!MTB

Trojan:Win32/SuperProfLPE.A!ibt

Trojan:Win32/Swrort.A

Trojan:Win32/Swrort!rfn

Trojan:Win32/Swrort.AB!MTB

VirTool:Win32/Tamfer.A!MTB

Trojan:Win32/Tiggre!rfn

Trojan:Win32/Trafog!rfn

Trojan:Win32/Vagger!rfn

Trojan:Win32/Wacatac.A!rfn

HackTool:Win32/Wincred.H

HackTool:Win32/Wincred.G

Exploit:Win64/2014-4113

HackTool:Win64/CallBckHel!MTB

Exploit:Win64/CVE-2015-2426

Exploit:Win64/CVE-2016-0040!MSR

Exploit:Win64/CVE-2018-8120.S

Exploit:Win64/CVE-2022-21882.A!

HackTool:Win64/Elevate

HackTool:Win64/Fgdump

HackTool:Win64/Handkatz!MSR

HackTool:Win64/JuicyPotato

HackTool:Win64/Malgent!MSR

HackTool:Win64/Meterpreter.A!dl

HackTool:Win64/Meterpreter!MSR

Trojan:Win64/Meterpreter.E

HackTool:Win64/Mikatz!dha

HackTool:Win64/PowersploitHijac

 

setupact.log NetSetup.LOG KernelAct.log

Link to post
Share on other sites

NOTE: If the copied entries from the Microsoft Safety scanner log are from the very last run of that tool, then those are way way excessive amount of infections so that the thing to do is to do a new clean install of Windows from ground zero. You should perhaps really think about that.
 
This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.