Unable to update Windows 10 or access antivirus websites : Trojan & Adware

[dgheorghiu]

I got infected after install some PC utilities for Android on Windows 10.

The principal concern is that Windows Update can't check for updates since approx. 20 days when I installed Malwarebytes trial. 

Also, I found a now closed topic that seems to address a quasi-identical issue.

I am calling for help as in that topic the issue was happy solved!

MBFullScanReport04-23-23.txt Addition.txt FRST.txt

[MKDB]

Hello @dgheorghiu  and 

 

My name is MKDB and I will assist you.

 

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow the steps in the given order and post back the log files.
• Please copy and paste all log files into your post.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Only run the tools I guide you to. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• As English is not my native language, please do not use slang or idioms. It may be hard for me to understand.
• If you do not respond within 4 days, your topic will be closed.
• Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also a big source of current trojan infections. If you are running any kin of illegal software on your system, please uninstall them now, before we start the cleaning procedure.

 

Please give me some time to review your logfiles. I'll report back later.

Thank you!

[MKDB]

Your system is heavily infected @dgheorghiu.

We will start with a FRST fix. This may take some minutes, so please be very patient.

More steps will follow.

 

 

 

 

Step 1

• Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\misu2\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

• Close all open programs and save your work.
• Run FRST again.
• Press the FIX button only once and wait.
• Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
• Please note: This Fix will remove all temporary files, empty recycle bin and will remove cookies and my result in some websites indicating they do not recognize your computer. It may be necessary to receive and apply a verification code.
• Please note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program, agree to the request.
• If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
• FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

fixlist.txt

Edited April 28 by MKDB

[dgheorghiu]

Now Windows Security shows "No current threats" but can't check for updates in Windows Update.

Fixlog.txt

[MKDB]

Thanks @dgheorghiu.

 

Next, run a fresh scan with FRST as well as a scan with FSS, please.

So we can check the results.

 

 

Step 1

• Run FRST again.
• Do not change any settings.
• Press the Scan button.
• FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
• Please attach these logfiles to your next reply.

 

 

Step 2

Please download Farbar Service Scanner (FSS) and and save it to your desktop.

• Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender
• Other Services

• Press the Scan button.
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

[dgheorghiu]

Windows Defender doesn't permit Bleepingcomputer site any file download. So, I used Softpedia or CNET for the FRST and FSS downloading.

FSS.txt Addition.txt FRST.txt

[MKDB]

Thanks for your feedback @dgheorghiu.

It seems that Windows Defender wrongly detects FSS as unwanted software. I'll ask Microsoft Research Team to whitelist the tool.

 

The malware has deleted / modified different windows services.

First, we are trying to repair windows update service. Moreoever, I would like you to run ESET as well.

 

 

Step 1

• Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\misu2\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

• Close all open programs and save your work.
• Run FRST again.
• Press the FIX button only once and wait.
• Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
• If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
• FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

Step 2

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe".
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes.
• When prompted for scan type, Click on Full scan. 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.  (e.g. their standard program). You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  (in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

 

 

fixlist.txt

[dgheorghiu]

FRST worked out in few seconds and after restarting it doesn't show up its running any more in my opinion.

I didn't want to restore the ESET found malware because I think they're not false ones, so I accepted to be quarantined. It's not needed the scan log?

Windows Defender found some malware in the meantime whom ESET was running on and quarantine them.

Fixlog.txt ESSETONLINEscanlog.txt

[MKDB]

You did a very good job @dgheorghiu.

There is no need to worry about those detections from ESET... those are only pointing to FRST quarantine, which means that they can't do damage anymore. The other detection is just a possible unwanted program.

Reboot your system and let me know if Windows update works again.

 

 

We need fresh logfiles from FRST and FSS to check the results.

Keep up the good work!

 

 

Step 1

• Run FRST again.
• Remove the checkmark in front of Services (see attachment).
• Press the Scan button.
• FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
• Please attach these logfiles to your next reply.

 

 

Step 2

Run FSS again.

• Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender
• Other Services

• Press the Scan button.
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

Edited April 30 by MKDB

[dgheorghiu]

Windows Updates is not working, the same as I initially reported.

FSS.txt Addition.txt FRST.txt

[MKDB]

Hi @dgheorghiu,

thank you again for those logfiles.

 

I've found out that there are two more damaged windows services.

I would like to repair them as well to get your windows updates working again.

 

In order to prepare a correct fix, I would like you to delete the current FSS.exe and download a fresh/new copy of FSS from here:

https://www.bleepingcomputer.com/download/farbar-service-scanner/

Run FSS again (as reported before) and attach the newest logfile for me.

 

Moreover, please run FRST again, but do NOT remove the checkmark in front of Services.

Just run a "normal" scan, do not change anything.

 

Edited April 30 by MKDB

[dgheorghiu]

After completing the download of FSS.exe, the file was inaccessible to open (the browser downloads pop-up displayed an "attention" message explicitly): it has been needed to allow "the threat or file" which OS suspected to be a malware by using the Windows Security protection history recommended actions.

Addition.txt FRST.txt FSS.txt

[MKDB]

Well done @dgheorghiu.

I'm preparing a fix for you.

[MKDB]

@dgheorghiu

We will run a (I hope) final FRST fix to repair those services in order to get your windows udpate running again.

 

Step 1

• Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\misu2\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

• Close all open programs and save your work.
• Run FRST again.
• Press the FIX button only once and wait.
• Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
• If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
• FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

 

fixlist.txt

[dgheorghiu]

I'd run the FRST tool in fix mode and after prompting restart, I follow the restart and after that completed the Windows Update screen looked like 👇 (it's been showing the updates list but can't download them).
I rebooted the OS again as Windows Updates had been recommending as a fix to this ("Restart your device may help") and after that updates wouldn't be downloaded again.

But I'd tried an additional step whom I'd thinked upon ... the Window Troubleshooting entry from Settings. After running Win Updates Troubleshooter, it displayed that it had fixed up an issue (which has been listed below - view the screen capture attachment file) and then I'd documented the Troubleshooting process explanation: I'd copied/pasted the result inside the attachment file "WinUpdateTroubleshooting2.txt".
I rebooted the system, and it can't download no updates at all either.

WinUpdateTroubleshooting2.txt Fixlog.txt

[MKDB]

@dgheorghiu

It's a shame that it still doesn't work. Troubleshoot was a good idea by you!

Can you give me some fresh FRST logfiles, please?

 

Step 1

• Run FRST again.
• Do not change any settings.
• Press the Scan button.
• FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
• Please attach these logfiles to your next reply.

[dgheorghiu]

I want to say I'd uninstalled before work today a windows app I'm not sure its license is continuous free because it's not a payed license. Its name is TOTAL COMANDER which I used as a FTP tool for my Wi-Fi FTP Android server transfer between PC and wireless Android.

Addition.txt FRST.txt

[MKDB]

Thanks @dgheorghiu

There seems to be a permission issue for the dosvc service. Maybe that's the reason why Windows update still does not work.

Please give me some time to talk with other experts.

[MKDB]

Please try the following fix first using FRST @dgheorghiu and report back regarding your windows updates issue.

 

Step 1

• Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\misu2\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

• Close all open programs and save your work.
• Run FRST again.
• Press the FIX button only once and wait.
• Please be patient and do not interfere, even if FRST does not respond for some time. That's nothing to worry about.
• If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
• FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
• Please attach this logfile to your next reply.

 

 

 

fixlist.txt

Edited May 1 by MKDB

[dgheorghiu]

Before I've done that, I run:

sfc /scannow
dism /online /cleanup-image /scanhealth
dism /online /cleanup-image /restorehealth

This job before your last post. So, I run the job of FRST fix after.

No better result.

Fixlog.txt

[AdvancedSetup]

Hello @dgheorghiu

Please run the following

 

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

• Internet Services
• Windows Firewall
• System Restore
• Security Center/Action Center
• Windows Update
• Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

[dgheorghiu]

Hello @AdvancedSetup!
I've done a net search about Delivery Optimization Services, and I found some interesting things, so I opened the Local Group Policy Editor - look at the attached screenshots: I found accordingly in the web page shown in the screenshots that this Download Mode for DOsvc is not set. Can I set it?

FSS.txt

[AdvancedSetup]

Good day, @dgheorghiu

No, it appears that the wrong service was imported earlier. We need to remove that service setting and then import the correct one.

Let me collect some information to help us get this corrected.

 

[AdvancedSetup]

I've sent you a Private Message. Please check that. @dgheorghiu

Thanks

 

[AdvancedSetup]

Please save the attached RepairServices.zip file to your computer @dgheorghiu

 

RepairServices.zip

 

Then visit the following site and download the following program

NirSoft - AdvancedRun
https://www.nirsoft.net/utils/advanced_run.html

Direct download link:
https://www.nirsoft.net/utils/advancedrun-x64.zip

 

[ 1 ]

Make a new folder.  C:\FIX

Then extract all the files from the RepairServices.zip file into the C:\FIX folder

[ 2 ]

Extract the advancedrun-x64.zip files to the C:\FIX folder as well

[ 3 ]

Disable any antivirus real-time protection and keep it off for now

[ 4 ]

If you're using the paid premium version of Malwarebytes, please open the program and click the small gear icon and go to Settings

Then go to Security and uncheck "Always register Malwarebytes" as shown below.

[ 5 ]

Open Windows Security - Manage settings and disable Real-time protection and Tamper Protection

[ 6 ]

Find the file AdvancedRun.exe and right-click over it and select "Run as administrator"

Under Program to run: click the 3 ... dots and select C:\Windows\System32\cmd.exe
Under Run As:  select TrustedInstaller as shown and click the Run button

 

In the DOS window, if you type in WHOAMI and press the Enter key, it should show you that you are now

nt authority\system

 

 

Now type in CD  C:\FIX and press the Enter key it should change directory to your C:\FIX folder where you should have the files you extracted from the zip files.

 

[ 7 ]

Now Copy and Paste the following into the DOS windows and press the Enter key. You should get a success message

sc delete DoSvc

Now let's do this other one as well. Copy and Paste the following into the DOS window and press the Enter key

reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" /f 

Next, assuming there were no errors, Copy and Paste the following into the DOS window and press the Enter key

reg import DoSvc.reg

 

Next, assuming there were no errors, Copy and Paste the following into the DOS window and press the Enter key

reg restore "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc" C:\FIX\DoSvc.HIV

 

[ 8 ]

Restart the computer now. Then check and see if you're able to check for Windows Updates and install them and let me know.

 

Thanks