Jump to content

Recommended Posts

Hello Rockstart101 :welcome:

My name is Maurice. Kindly advise as to just what is reporting "virtool32".  That I would surely like to know. Is the IObit Malware Fighter 10 a paid-for licensed one? If you did not pay for it, I would request / highly urge that you Uninstall it.

What I see so far, is that Microsoft Defender antivirus has issues  ( likely due to having the Iobit program). Microsoft Defender is seemingly failing to update. There are a few other Windows services ( such as Cryptographic Services service) that are having issues. However this system is very lightly populated as far as installed applications. 

  • Like 1
Link to post
Share on other sites

Hi Maurice, 

I do pay for IObit Malware Fighter, Uninstaller and Defrag Pro. Windows Defender had always been infected since I had installed it. I had paid for the Microsoft 365 and had been a problem since. I know for a fact it's A-RAT trojan, as it has infected my whole network and every phone device. I have tried multiple programs over and over and nothing but a few pick something up but do nothing. I had so many pictures and videos only to have them deleted showing different sections and programs they have a hold of. I've lost and reset the OS on different devices far too many times now. I've been trying to keep the program downloading to a minimum because it just keeps taking complete control and I'm denied access. Hyper-V-Module is an aid for them as I am learning Microsoft modules Azure and many others. The phones have syslinks and many of the same programs as the computers do. All connected and handled by many different handlers. I just need a solution.

Link to post
Share on other sites

Be very ware I cannot help you on any non-Windows devices  ( such as your phone or any Android device). I can just help you on this Asus VivoBook with Windows 11.

I will guide you along on looking for actual malware. Lets keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

Select ViewShowFile name extensions

Now a different scan with another security scanner. 

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\rocki\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\rocki\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230417_103000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply

We will do more tasks / scans / reports later. Keep in mind I am a volunteer here & that I am not here all the time.

Link to post
Share on other sites

Quote

"Scan" Processed="354846" Found="0" Neutralized="0"

Kaspersky KVRT found no virus, no trajan, no malware.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites

What matters most is that the Microsoft Safety Scanner ( a great scanner that scans for viruses, trojans, & other malware) reports no infection. It found nothing as far as actual threats. 

Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Sun Apr 16 18:05:55 2023

As a next step, I suggest the following:

This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

2023-04-17 11:10:28 AM
Files scanned: 171852
Detected files: 0
Cleaned files: 0
Total scan time: 00:40:20
Scan status: Finished

Eset reports having found no threats. no virus. no trojan. no malware. I go by the bottom-line reported results from known Windows security applications & scanners.

Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes

https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773

and post back the log as shown below.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Link to post
Share on other sites

Hey Maurice,

I am using my phone right now to reply since my laptop acted up after my last run with Malwarebytes. It wouldn't load at all and now my boot is gone. In the process right now of restoring it without losing the data. Until then just have a look at some of the files, I don't know if you seen on the laptop from the scan reports. Three of the photos I came across while browsing on Indeed. They didn't look like something that would be on there. I had videos too but they couldn't and wouldn't load anywhere, even on online MP4 compress websites. My phone screenshot shows that there is definately a R.A.T. present on the device.

Vacation.zip

Link to post
Share on other sites

Get a hold of a USB-tumb-flash drive of 8 GB size or larger that can be repurposed / that has nothing on it that you need ( ie, that can be reformatted to a special new purpose so that you can do all the steps outlined on this article and video

https://forums.malwarebytes.com/topic/272765-run-farbar-recovery-scan-tool-frst-from-recovery-mode-on-windows-10/

You will run the Farbar FRST64 report tool ( again as per that article AND per the linked video)
When all completed, attach the FRST.txt report so I can review that report.

Link to post
Share on other sites

you had said yesterday 

Quote

 It wouldn't load at all and now my boot is gone. In the process right now of restoring it without losing the data.

What is the current status on usability of Windows ?

NOTE: The HTML image-copies are just snippets of HTML page code for something or other. Those may be html-based email message. That is not infectious. The images of sections of the registry likewise are not "malicious infections". Matter of fact what is shown on "reg.file entries2" image are quite normal. Please understand that we / I rely on known & trusted security tools like Malwarebytes & other known & trusted security apps to check a system for infection.  Let me know what the current availability status is for Windows.

I am very much looking for a FRST report once you have done the procedure listed on my prior reply https://forums.malwarebytes.com/topic/296916-months-of-a-rat-virtoolwin32-infectionsmh/?do=findComment&comment=1563790

Link to post
Share on other sites

Hello. At this point, I have several questions.
Did you boot the pc booting off the USB made with Microsoft  Media Creation Tool ( MCT )?
It looks like this report was run with Windows in normal mode.

I had hoped to get a FRST once after the machine was rebooting off USB-flash and then into Windows Recoevry mode; thereafter a run of FRST.
These FRST reports are from normal mode & also this is a Windows `10 operating system.

When was ESET Security program installed ?
Can you start ESET Security and do a full scan with it?

This system almost looks like it has a operating system re-install; BUT this has ESET & the original did not.

This systems seems to have something called iTop VPN, seemingly installed on the 19th.

You appear to have made some program additions without first checking with me first. That is contrary to a basic principle I asked to be kept.

I must ask this: Is this machine a home-use type personal computer?  OR is this system used in a business or organization network ??

Edited by Maurice Naggar
Link to post
Share on other sites

Hi, This is a home network and I was trying to boot it off the same USB I had installed it with in the first place. The ESET was installed because you asked to have a scan with that on Monday. I can't use it anymore as it now has missing files that I cannot download, blocked. I know it's Windows 10 now, but weird to say but it's the same USB, just now it says 10. Before it was Windows NT. I could tell you some pretty unbelievable things that have happened in the last year dealing with this. I still think it would be right crazy if it didn't happen to me. The laptop is right quiet right now which means when I reboot it will most likely give me another hard time. Just 25 mins ago it was on all processors and at 100%-135% CPU. I've never seen it go that high before. I have attached a few more pictures, if you could give me some feedback that would be great and if the laptop doesn't act up I will get that report for you. I did what was asked but as you can see it looks like I didn't. 

20230421_101358.jpg

20230421_101252.jpg

20230421_101340.jpg

20230421_100841.jpg

20230421_100933.jpg

Link to post
Share on other sites

  • I have to be more clear to you. Please do not go hither and yon into the Registry. Stay out of it. All these snapshots are not helpful.
  • I think it is past time to do a true, real CLEAN operating system rebuild from scratch. During that process I urge you, when and if prompted, to keep "nothing" of any applications, programs, or even user files.
  • IF and only if you now have documents or personal files that you do not have on backup media of some kind, then take a few minutes to copy them onto removable backup media or on cloud backup ( for example if you have a Google account.)
  • In the procedures below, I urge you to select the option "Remove everything"
  • Here is the link to the guide article https://www.tenforums.com/tutorials/4130-reset-windows-10-a.html
  • I suggest you follow the 
OPTION ONE

To Reset Windows 10 at Boot

 

  • Hopefully this would result in a new clean Windows operating system.
  • Later on, way later on, if desired, you may consider doing a manual on-demand visit to Microsoft Windows Update, to see if there is a offer to upgrade to the latest Windows 11.
  • Just do not go off and on your own seek, hunt for, or add any non-Microsoft provided applications.
  • I list these procedures here because this is something do-able & a viable way to get a new clean working Windows. That is the main first goal.
Link to post
Share on other sites

Alright, this is nothing I haven't done already many times over. I will do it to show you that this persistent R.A.T. oversees everything and survives clean, fresh installs. I was only showing photos to see if you could see anything out of the ordinary.  I'm concerned about the deep cores since at one point I seen over 200+ a lot of R.A.T.'s out there and just don't want it to be a NanoCore. I can't even log into my router site but I will be begin this immediately and get back to you.

Link to post
Share on other sites

  • A. I understand what you are saying. I regret all the troubles you have run into.
  • B. But I feel compelled to express, that if the end result is not a clean new working Windows, that then you went astray somewhere. That you took some turn or mis-step that leads to a bad setup.
  • C. Go very careful, very slow. Insure to fully digest the goal and methods of the article. 
Edited by Maurice Naggar
Link to post
Share on other sites

Just simply post after it is all completed. I do hope you did pick "Keep nothing".  Do not on your own setup , add , or do any install of any "stuff".  Once Windows is back and running, I just only want a REPORT set. 

This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

( 2 ) This report also.

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

Edited by Maurice Naggar
Link to post
Share on other sites

Perfect. Excellent. Fresh new setup of Windows 11 with build 22H2. All good. Microsoft Defender antivirus is on and protecting the system. Before you do anything else, make a full BACKUP of this system to Offline backup media ( or to Cloud-based backup)

Here is a how-to-guide https://forums.malwarebytes.com/topic/136226-backup-software/

FOR "after" the backup, a set of "Best Practices" for safety. 

  • Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to
https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

For the EDGE browser https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser

  • Since this pc does not have Malwarebytes ( for Windows), then I would suggest you consider getting the Malwarebytes Anti-Exploit Beta 1.13 Build 521.

See this post https://forums.malwarebytes.com/topic/205865-malwarebytes-anti-exploit-113-build-521-released-jan26-2023/
Save the download. Then run the exe to begin its setup.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Edited by Maurice Naggar
added more tips
  • Like 1
Link to post
Share on other sites

Hello. How is the Windows system this Sunday ?  I expect all is well. 

Do a custom scan with Microsoft Defender Antivirus 

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

  • Sad 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.