Request assistance with possible infection on HP Laptop

[HollabackG]

Thanks for this forum and for your great instructions - I had a pretty uncomplicated time working through the steps to get to this point. I am attaching the three files you requested and would like you to help relieve some of my anxiety about there being an intruder, a virus, a person, I don't really know what exactly, but I have had some what I call "weird" observations at times recently and need to get to the bottom of my worrying - whether it's all my own trauma-response or if there has legitimately been some issues on the technology front. And if everything looks picture perfect, please help reassure me of that and that I will not somehow screw it up by accident. :) 

I have also had some problems with my internet router and had new equipment installed a month or so ago. And finally, my phone was giving me ongoing odd behavior and today I resorted to a factory reset and erased all content and settings. I hope that clears it up. 

Thanks again, I'll keep my eye out for your reply. 

Malwarebytes Scan Results.txt Addition.txt FRST.txt

[HollabackG]

Just some additional information that might be helpful. All of my internet browsing seems to have morphed every URL into a wildly long string. Example: 

https://accounts.google.com/v3/signin/identifier?dsh=S285593881%3A1687876345447283&continue=https%3A%2F%2Fwww.google.com%2F%3Fclient%3Dsafari%26channel%3Diphone_bm&flowEntry=ServiceLogin&flowName=GlifWebSignIn&hl=en&ifkv=Af_xneExTD3sRzsZnWA3jQn3qkdY_JL-OkPNbXFdHzg0xMo2WrQv4jlEgYMU-B9vx3ey9SqDq3JDAg

 

Edited June 28 by AdvancedSetup
Disable hyperlink

[Maurice Naggar]

Hello  

I will guide you along on looking for remaining malware ( if any) on this Windows machine. Lets keep these principles as we go along.

• I cannot help with your phone. I understand you have a new hardware router.
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
• Please stick with me until I give you the "all clear".
• If your system is running Discord, please be sure to Exit out of it while this case is on-going.

[Maurice Naggar]

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

[Maurice Naggar]

4 hours ago, HollabackG said:

....and today I resorted to a factory reset and erased all content and settings. I hope that clears it up. 
 

When exactly was this Factory Reset done? I see some Windows events logged that go back to 30th of May.

and I also see Kaspersky VPN Version: 21.13.5.506 installed. When did you install that? Is it a paid-for license ? That is to inquire, do you intend to have Kaspersky as your resident installed security application ?

[HollabackG]

The factory reset was done by a computer repair store locally. I had taken the laptop in for help. He said he removed a bunch of malware and remote software or something. He said someone would have had to originally have physical access to the machine to get into my iCloud account etc which i think is possible as I had been seeing someone for a couple of years that was very much a stalker situation. I have reason to believe he might still have access in some way. Now i don’t know enough to be able to tell if what I’ve been having issues with is a malware or a single human being with an obsessive mind. Maybe you can help me figure that out. I’ll look for the exact date of the factory reset but it would be around the first of June. 
 

as far as Kaspersky. I downloaded and paid for a premium version of their product and it seemed to work okay but then it didn’t. Like it kept asking me to login, verify my email which i had already done etc. I called the support phone number and got a guy who said he was able to help me but he was not very responsive and he didn’t seem to have any of my account information at all and then the call was disconnected. This also happened a couple of days ago when I tried contacting Microsoft to ask about why my Microsoft Edge browser was gone or unable to open. So many weird things and I have become pretty confused by how much had happened and why. I want to either get refunded for the kaspersky product or get it to work. Malwarebytes is fine with me too. Just something that is actually working and is actually supported by people i can talk to that doesn’t result in a disconnection. 

[HollabackG]

Maurice, I am catching up on these messages. I apologize if I’m responding out of order. I am reading your list of expectations and it sounds like I can follow all of them. I don’t have any kind of pirated anything on my computer that I know of. I don’t play online games either. So that part is OK. And that’s fine about the phone, I understand. I will not do anything else to the computer, unless directed to do so at this point moving forward. However, to be honest, I did run some scans using Malwarebytes, but that was some thing I downloaded yesterday as part of the instructions from your initial forum overview regarding malware. But maybe I overran scans I don’t know I’ve saved all the logs on my computer or they’re saved in the Malwarebytes program itself. I also do not have discord or have it on my computer that I know of as well. Now, that said, I’m gonna go back up and look and it looks like I’m supposed to run a Malwarebytes adware scan. I will do that and then attach the log like you requested.

[HollabackG]

Here is the log file for the Adwcleaner

AdwCleaner[C02].txt

[Maurice Naggar]

That is a good run of Adwcleaner. It did not find adwares present.

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.
Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[HollabackG]

9 hours ago, Maurice Naggar said:

That is a good run of Adwcleaner. It did not find adwares present.

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.
Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
• Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
• and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

• At screen "Detections occurred and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

Maurice, I dowloaded the ESET Online Scanner and selected yes to Windows allowing it to start, and then I got a pop up that said one or more drivers were prevented from being installed and it led me to a webpage from Microsoft that said if I want to let them download I will need to turn off the Core Isolation Integrity protection, restart the machine, and then try again. Does that sound correct? I did not proceed. Afterwards, I happened to notice that there were a multitude of this same error message stacked up in the notifications in my task bar. I closed them but I am not sure what they all were about, they appeared to be the same message as I just stated above. 

[HollabackG]

Cancel that. It appears to be scanning anyway. I am closing my browser. I'll be back.

[HollabackG]

Here is the log from the ESET scan. 

ESET log.txt

[Maurice Naggar]

Thanks for the report. It found no threats. Next, I would like you to run a custom task. First, please do a Windows Restart.

Please run the following custom script. Read all of this before you start.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will reset / clear all Windows firewall rules. It will empty all temporary file areas. It resets the Winsock. Depending on the speed of your computer this fix may take 50 minutes or more.

Please Close all open work.

Farbar  FRST64 program location:   Downloads folder

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

 

NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run  FRST64 and press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with net reply.

[HollabackG]

This looks interesting! Here you go Maurice. Fixlog.txt

[Maurice Naggar]

I have read your preceding reply with the image-file. I have set that one reply to hidden because it contained personal type info.

I will be making a new reply soon.  Eventually at some opportune point, I will suggest ( but not now) to change all your passwords for all accounts.

[Maurice Naggar]

These are the next steps. First, need to disable the Windows 11 "Controlled Folder access" so it does not interfere.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Edited June 30 by Maurice Naggar

[HollabackG]

I tried to run this scan but I can’t turn off the controlled folder access it won’t let me. Then the computer started locking up not letting me open or close anything and then I tried to go to restart the computer and got this message I’m attaching 

[HollabackG]

4 minutes ago, HollabackG said:

I tried to run this scan but I can’t turn off the controlled folder access it won’t let me. Then the computer started locking up not letting me open or close anything and then I tried to go to restart the computer and got this message I’m attaching 

The second attachment is the error message I got when trying to go to the security settings where the controlled folder access lies. 

[HollabackG]

I am running the MSERT scan now but without the controlled folder access turned off since I can’t access the settings. I’ll attach the log when it’s finished and hopefully you can direct me from that point. 

[HollabackG]

msert.log

Maurice,

Here is the log for the MSERT scan you requested. Let me know what you think. Thank you!msert.log

[Maurice Naggar]

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

[HollabackG]

On 7/3/2023 at 8:28 PM, Maurice Naggar said:

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Hi,

I ran this scan and didn't know the best way to show you/ask questions so attached screenshots of a few things.  i don't think there is any personal info.

The scan found no vulnerabilities but did find almost 3 G of junk files. I will go ahead and remove those. 

I happened to notice under the browsing history a number of things i don't recognize or understand. I am logged in under the computer's administrator account which i normally don't use or try to avoid using for regular browsing. Can you explain them or maybe it isn't related. Something is very much still going on I feel, and it is causing pretty serious misery as I first began to realize things were off way back in February or March. I can't believe it. I think it might even be worse now because I am getting lots of creepy phishing emails and sometimes it is as if there are two of my computer or phone because if I am paying attention sometimes, I will see a super brief flash or blip of one window going over another but it's too fast to know what is happening. 

Anyway, thanks for your continuing assistance and I will wait to hear from you. 

[HollabackG]

Sorry - one more thing - my files say they are shared but I don't know who they would be shared with I don't even have friends and my cat doesn't use my computer.

[HollabackG]

I revise my last post. I am attaching a screenshot of the scan results and apparently my computer has a lot of problems. I am depressed beyond the word. Here you go. 

[Maurice Naggar]

Hello. Please do not flood me with all sortfs of screen grabs.
I do wish to advise you to be calmer. There is no need to go poking about hither and elsewhere.
Too much needless worrying.
Do keep in mind that we use known security-checking utilities to look for postential malware.
Please do not ( while I am guiding you & this case is on-going) do not go off on your own to run any "stuff".
OK. Lets put away the worry-wart outlook.
The TrendMicro Cleaner One Pro is a tool from a trusted security vendor.

But you can do cleanups of temporary files using the free built-in applet from Microsoft Windows.
Open an elevated Command-prompt window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe

click the line for "run as administrator"

On that Command-prompt,  Copy & Paste this command

cleanmgr.exe

press Enter-key on keyboard   and watch & write down the result

on the tab "Disk Cleanup"
then on the scrollable window marked "Files to Delete"
be sure to UN-tick the box on the line "Downloaded Program files"

DO tick the check boxes on these lines:
Windows Update Cleanup
Windows upgrade log files
Temporary Internet Files
Recycle Bin
Temporary files

Any other lines you can un-tick. The 5 lines selected above should account for a sizable amount of space that can be freed-up.

then click OK to proceed

you will get a "Are you sure" prompt
click on "Delete Files" button

It will show a progress window. When it finished, it will auto-close its window.

VERY IMPORTANT reminder. I can guide you to running additional other scan tools to re-check for "actual malware". Just do not do anything on your own.

Edited July 6 by Maurice Naggar