junior271 Posted April 23, 2023 ID:1564349 Share Posted April 23, 2023 hi i think im infected im getting lots of windows defender pop ups about acces being denied for cmd.exe popwershell and few more on start up there is a screen in wich im supposed to choose system windows or trend micro clean boot FRST.txt Addition.txt Shortcut.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 23, 2023 ID:1564355 Share Posted April 23, 2023 Hello I will guide you along on looking for remaining malware. Lets keep these principles as we go along. Removing malware can be unpredictable Please don't run any other scans, download, install or uninstall any programs while I'm working with you. Only run the tools I guide you to. Do not run online games while case is on-going. Do not do any free-wheeling web-surfing. The removal of malware isn't instantaneous, please be patient. Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure. Please stick with me until I give you the "all clear". If your system is running Discord, please be sure to Exit out of it while this case is on-going. Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 23, 2023 ID:1564356 Share Posted April 23, 2023 Hi @junior271 Please begin by doing these steps. These are just the first ones. We will be doing many scans over a few different "sessions".( 1 ) Take these actions so that Windows 11 is set to show all hidden files and folders. Open File Explorer from the taskbar. Select View > Show > Hidden items. Select View → Show → File name extensions ( 2 ) DO the section "Part ONE / Perform a clean boot for Windows 11" see https://www.elevenforum.com/t/perform-a-clean-boot-in-windows-11-to-troubleshoot-software-conflicts.2787/ ( 3 ) The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand. This link is for the 64-bit version of MSERT.exe . Be sure you save the file firsthttps://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan. That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well Launch MSERT.exe Accept the agreement terms of Microsoft Select CUSTOM scan Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned. Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be. Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run. Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those. We only rely on the end result that is on the log-report-file. This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.) The log is named MSERT.log the log will be at Windows\debug\msert.log Please attach that log with your reply It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself. It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection. That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not. Link to post Share on other sites More sharing options...
junior271 Posted April 23, 2023 Author ID:1564372 Share Posted April 23, 2023 msert.log Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 23, 2023 ID:1564375 Share Posted April 23, 2023 Microsoft Safety Scanner v1.387, (build 1.387.1965.0) Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Sun Apr 23 22:16:46 2023 As a next step, I suggest the following: This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
junior271 Posted April 23, 2023 Author ID:1564384 Share Posted April 23, 2023 after runing eset pop ups started to show up about not being able to load driver ehdrv.sys and im not able to save log Link to post Share on other sites More sharing options...
junior271 Posted April 23, 2023 Author ID:1564385 Share Posted April 23, 2023 and im still getting those pop ups from powershell.exe and cmd.exe Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted April 24, 2023 Solution ID:1564397 Share Posted April 24, 2023 Did the ESET scanner finish? Let me know that. Below are the next steps to do. ( 1 ) Use File Explorer, fo to Downloads folder. Look for FRST64.exe With your mouse, do a RIGHT-click on FRST64.exe & select RENAME and rename the exe to FRSTENGLISH.exe and tap Enter-key to make the change ( 2 ) What follows is just the beginning first steps. We will be doing several tasks over several rounds. Please have lots of patience. Please run the following custom script. Read all of this before you start. Please Close all open work. Farbar program : is FRSTENGLISH.exe is already on this machine Please download the attached fixlist.txt file and save it to Downloads folder Fixlist.txt <-- - - - - NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Use File Explorer to go to the Downloads folder RIGHT-Click on FRSTENGLISH and select RUN as Administrator and reply YES to allow it to go forward to start. That is important so that this run has Elevated Administrator rights !! NEXT press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run scans with MS Defender antivirus. Depending on the speed of your computer this fix may take 50-55 minutes or more. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome, and Opera + Brave caches, HTML5 storages, Cookies and History Recently opened files cache Discord cache Java cache Steam HTML cache Explorer thumbnail and icon cache Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Attach FIXLOG.txt with your next reply. Link to post Share on other sites More sharing options...
junior271 Posted April 24, 2023 Author ID:1564452 Share Posted April 24, 2023 yes the eset scan did finish. after when i started frstenglish.exe it showed failed to update 4 Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 24, 2023 ID:1564464 Share Posted April 24, 2023 You can download & save a new copy of FRST64....be sure you save it. Then when that is so, delete old FRSTENGLISH.exe Then rename the newly downloaded FRST64.exe to FRSTENGLISH.exe Then when that is so, RE-run as listed the Fix run of my reply section ( 2 ) https://forums.malwarebytes.com/topic/297197-infected/?do=findComment&comment=1564397 Link to post Share on other sites More sharing options...
junior271 Posted April 24, 2023 Author ID:1564467 Share Posted April 24, 2023 Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 24, 2023 ID:1564469 Share Posted April 24, 2023 The custom-fix-run is good. I wish to convey a reminder, as long as this case is open & on-going here, to NOT have anyone play any "games" on this machine. We have run scans with Microsoft Safety Scanner, plus ESET Onlinescanner. Now a different scan with another security scanner. This with Kaspersky KVRT tool. Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop. Next, Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box.C:\Users\barto\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencryptC:\Users\barto\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important. To start the scan select OK in the "Run" box. The Windows Protected your PC window "may" open, IF SO then select "More Info" A new Window will open, select "Run anyway" A EULA window will open, tick both confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure the following boxes are ticked: System memory Startup objects Boot sectors System drive Then select "OK" and „Start scan“. The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue". Usually, your system needs a reboot to finish the removal process. Logfiles can be found on your systemdrive (usually C: ), similar like this: Reports are saved here C:\KVRT_data\Reports and look similar to this report_20230424_213000.klr Right click direct onto those reports, select > open with > Notepad. Save the files and attach them with your next reply Link to post Share on other sites More sharing options...
junior271 Posted April 24, 2023 Author ID:1564479 Share Posted April 24, 2023 report_2023.04.21_17.10.07.klr.enc1.txt report_2023.04.24_20.40.03.klr.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 24, 2023 ID:1564505 Share Posted April 24, 2023 Thank you. It appears that Kaspersky KVRT found no malware. Tell me, today or now, are there any warning advisories from Microsoft Defender antivirus ? You do know, do you not, that you can visually look on the visual GUI status display about Windows Security. From the Windows Start menu, select Settings, then select Update and Security. Next, look at the left-side menu & select Windows Security Next, In Windows Security section: Click on the grey button Open Windows Security Now, click on the shield Virus and threat protection Look to see the summary at the top of that screen. Link to post Share on other sites More sharing options...
junior271 Posted April 25, 2023 Author ID:1564550 Share Posted April 25, 2023 i can scroll throught this for like 5 min there are also many many more folders that got acess denied Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 25, 2023 ID:1564584 Share Posted April 25, 2023 (edited) I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Attach the mbst-grab-results.zip from the Desktop to your reply.. Just by the way, the third screen-snapshot is about a .TMP file & it is not dangerous & is not a threat. That particular folder is a temporary work area. The first 2 screens are about work-folders for Microsoft Windows Update. They are not meant for viewing by a pc-user. There is no great need or call to worry. We will do some custom actions 'after' you post the report cited above. It would help me if you looked again on 1st screen-image & translate for me all those lines into English and provide that to me. Just the first screen you provided above. Edited April 25, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 25, 2023 ID:1564588 Share Posted April 25, 2023 I did a manual typing and then fed it into Google translate. access to the protected folder has been blocked your administrator has blocked these actions apps or process blocked Yup. You should not be trying to mess with the sub-folder "Catroot" or "Catroot2". And if it is not you who is using powershell, then the report I asked for should help me for my review. Link to post Share on other sites More sharing options...
junior271 Posted April 25, 2023 Author ID:1564591 Share Posted April 25, 2023 its not me and history of those blocked acess went empty Link to post Share on other sites More sharing options...
junior271 Posted April 25, 2023 Author ID:1564592 Share Posted April 25, 2023 those warnings also went silent for now Link to post Share on other sites More sharing options...
Maurice Naggar Posted April 26, 2023 ID:1564696 Share Posted April 26, 2023 Hello, I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Once you start it click Advanced >>> then Gather Logs Have patience till the run has finished. Attach the mbst-grab-results.zip from the Desktop to your reply.. Link to post Share on other sites More sharing options...
Maurice Naggar Posted May 30, 2023 ID:1569806 Share Posted May 30, 2023 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts