Maurice Naggar Posted July 21, 2023 ID:1578830 Share Posted July 21, 2023 This system is very lightly populated. That is why the run was relatively quick. MS Safety Scanner found no threats, no malware. Results Summary: ---------------- No infection found. Failed to submit MAPS report: 0x80072EE7 Failed to submit clean hearbeat MAPS report: 0x80072EE7 Microsoft Safety Scanner Finished On Thu Jul 20 16:52:07 2023 One other scan here. TrendMicro HouseCall scanfrom this Link First, Download & Save to your Downloads folder the appropriate HouseCallLauncher Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it. The program will check with TrendMicro & do a update run. Next it will show the Disclosure window. Click Next to proceed. The end user license agreement is presented. Click the Accept radio button & click Next to proceed. I suggest a CUSTOM scan on C drive. IF you wish a Full scan or a Custom scan, first click on the Settings then you can select which drives you want to include in the scan. The default is a Quick scan. Click Scan now when ready. The scan progress will then be displayed. Monitor the progress or just leave it alone until it finishes this phase. When the scan phase has completed, if any items are tagged, you will see a list, showing the file & its location, the classification of the threat, the type, risk, and Action option. If you see an item that you know is safe, you can click the Action , and select Ignore. When all done & ready, click the Fix now button. Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578855 Share Posted July 21, 2023 Done no threats found Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 21, 2023 ID:1578873 Share Posted July 21, 2023 Great 👍 You should close TrendMicro screen. Current DNS Servers: 192.168.50.1 Please consider changing your default DNS Server settings. Please choose one provider only DNS is what lets users connect to websites using domain names instead of IP addresses Pick just one of these 4 providers. And be aware that you need to modify 1 time for IPV4 & a 2nd pass for IPv6 Google Public DNS: IPv4 8.8.8.8 and 8.8.4.4 IPv6 2001:4860:4860::8888 and 2001:4860:4860::8844 Cloudflare: IPv4 1.1.1.1 and 1.0.0.1 IPv6 2606:4700:4700::1111 and 2606:4700:4700::1001 OpenDNS: IPv4 208.67.222.222 and 208.67.220.220 IPv6 2620:119:35::35 and 2620:119:53::53 DNSWATCH: IPv4 84.200.69.80 and 84.200.70.40 IPv6 2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b The Ultimate Guide to Changing Your DNS Serverhttps://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/ Here is a YouTube video on Changing DNS settings if needed Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578874 Share Posted July 21, 2023 im already using nextdns Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578877 Share Posted July 21, 2023 Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 21, 2023 ID:1578879 Share Posted July 21, 2023 (edited) I would recommend getting readout reports as to update status of some key apps. Temporarily disable Microsoft SmartScreen to download the next software below Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Next, Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. When all done, you may go back to turn ON the EDGE Smartscreen protection. Edited July 21, 2023 by AdvancedSetup Corrected font issue 1 Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578885 Share Posted July 21, 2023 finished SecurityCheck.txt FSS.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 21, 2023 ID:1578888 Share Posted July 21, 2023 The FSS report is all very good. And the Microsoft Defender antivirus and its protections are on & working. Here are the apps that need your action / follow-up. Microsoft 365 - en-us v.16.0.15128.20246 Warning! Download UpdateHow Install Office updates? NVIDIA GeForce Experience 3.25.1.27 v.3.25.1.27 Warning! Download Update Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578889 Share Posted July 21, 2023 i updated the apps Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 21, 2023 ID:1578891 Share Posted July 21, 2023 This next scan-tool is a specialized one from Malwarebytes. We will run it just once, just as a check. This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic.Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578895 Share Posted July 21, 2023 done mbar-log-2023-07-21 (14-44-13).txt system-log.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 21, 2023 ID:1578898 Share Posted July 21, 2023 Most excellent report. No threats after scan with MBAR. Please run this. Farbar MiniToolBox Please download MiniToolBox and download it to your desktop Close any browsers you may have open Right click the icon and select Run as administrator Make sure only the following options are checked: Report IE Proxy Settings Report FF Proxy Settings List content of Hosts List Devices - Only Problems List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump Files Click Go and once the scan is completed a MTB.txt Notepad document will open on your desktop Please SAVE the report-file. Then attach that report with next reply. Link to post Share on other sites More sharing options...
Kidiron Posted July 21, 2023 Author ID:1578900 Share Posted July 21, 2023 done MTB.txt Link to post Share on other sites More sharing options...
Kidiron Posted July 22, 2023 Author ID:1578963 Share Posted July 22, 2023 My windows security app won’t load now it just shows the blue shield for 2 mins then crashes Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 22, 2023 ID:1578965 Share Posted July 22, 2023 Please have patience. I am in process of working up a new custom script for this machine. Patience. 1 Link to post Share on other sites More sharing options...
Kidiron Posted July 22, 2023 Author ID:1578966 Share Posted July 22, 2023 TYSM Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 22, 2023 ID:1578967 Share Posted July 22, 2023 Thanks for the report. There were a few items tagged by MS Defender antivirus, recently, and we need to be sure they are gone. Threat Name: Ransom:Win32/Play!ml Category: Ransomware Path: file:_C:\Users\kidir\AppData\Roaming\Celestial\injector_new.zip Threat Name: Behavior:Win32/DefenseEvasion.A!ml Category: Suspicious Behavior Path: file:_C:\Users\kidir\AppData\Roaming\Celestial\injector\main_injector.exe Threat Name: Trojan:Win32/Wacatac.H!ml Category: Trojan Path: file:_C:\Users\kidir\AppData\Roaming\Celestial\injector\main_injector.exe By the way, be very sure you do not download any games of any sort, nor any other tempting download, while this case is open here. Please run the following custom script. Read all of this before you start. Please Close all open work before you actually do begin this run. Farbar FRST64 program location: Downloads folder. The tool is already on system. That is what we will use. Please download the attached fixlist.txt file and save it to Downloads Fixlist.txt<- < - - - - NOTE. It's important that both files, FRST64, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRST64 and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. This here is not any "cure all". There is more work to do to check this Windows system ! NOTICE: For potential outside readers, This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm. Link to post Share on other sites More sharing options...
Kidiron Posted July 22, 2023 Author ID:1578970 Share Posted July 22, 2023 btw these are false flags Threat Name: Ransom:Win32/Play!ml Category: Ransomware Path: file:_C:\Users\kidir\AppData\Roaming\Celestial\injector_new.zip Threat Name: Behavior:Win32/DefenseEvasion.A!ml Category: Suspicious Behavior Path: file:_C:\Users\kidir\AppData\Roaming\Celestial\injector\main_injector.exe Threat Name: Trojan:Win32/Wacatac.H!ml Category: Trojan Path: file:_C:\Users\kidir\AppData\Roaming\Celestial\injector\main_injector.exe Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 22, 2023 ID:1578988 Share Posted July 22, 2023 Now a different scan with another security scanner. You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open. This with Kaspersky KVRT tool. Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop. Next, Select the Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\kidir\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt Note the space between KVRT.exe and -dontencryptC:\Users\kidir\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box. That addendum to the run command is very important. To start the scan select OK in the "Run" box. The Windows Protected your PC window "may" open, IF SO then select "More Info" A new Window will open, select "Run anyway" A EULA window will open, tick both confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure the following boxes are ticked: System memory Startup objects Boot sectors System drive Then select "OK" and „Start scan“. The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else.. completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue". Usually, your system needs a reboot to finish the removal process. Logfiles can be found on your systemdrive (usually C: ), similar like this: Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20230721_203000.klr Right click direct onto those reports, select > open with > Notepad. Save the files and attach them with your next reply Link to post Share on other sites More sharing options...
Kidiron Posted July 22, 2023 Author ID:1578995 Share Posted July 22, 2023 done report_2023.07.22_14.32.54.klr.txt Link to post Share on other sites More sharing options...
Kidiron Posted July 23, 2023 Author ID:1579069 Share Posted July 23, 2023 is this normal Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 23, 2023 ID:1579094 Share Posted July 23, 2023 It may be just some sort of minor issue with this Windows 11 system. Just get a fresh report. Go to Downloads folder using File Explorer. RIGHT-click on FRST64 and select Run as Administrator and tap ENTER. And reply YES to allow to proceed. When the tool opens click Yes to the disclaimer. And be very sure to TICK the box for Addition.txt Press the Scan button. It will make a log (FRST.txt & Addition.txt) in the same directory the tool is run Have patience since the run may take something like 10 or so minutes (less depending on your hardware speed) Close Notepad IF those show up on Notepad. Just please Attach the 2 files FRST.txt +Addition.txt with your next reply. Link to post Share on other sites More sharing options...
Kidiron Posted July 23, 2023 Author ID:1579116 Share Posted July 23, 2023 alright Addition.txt FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted July 23, 2023 ID:1579135 Share Posted July 23, 2023 I have a question as to why there had been 2 files on this machine in the first place. Why did some one download the files tagged by Microsoft Defender. Windows Defender: ================ Date: 2023-07-23 13:53:50 Description: Microsoft Defender Antivirus has detected a suspicious behavior. Name: Behavior:Win32/DroppedKnownMalware Severity: Low Category: Suspicious Behavior Path Found: file:_D:\DOWNLOADS\Xenos_2.3.2_[unknowncheats.me]_\Xenos64.exe; process:_26760 Detection Origin: Local machine Detection Type: Suspicious Detection Source: Real-Time Protection Status: Executing Process Name: D:\DOWNLOADS\Xenos_2.3.2_[unknowncheats.me]_\Xenos64.exe Security intelligence ID: 41453692543830 Security intelligence Version: AV: 1.393.1190.0, AS: 1.393.1190.0 Engine Version: 1.1.23060.1005 Fidelity Label: Low Target File Name: Date: 2023-07-23 13:53:42 Description: Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following:https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/DllInject&threatid=2147771689&enterprise=0 Name: Trojan:Win32/DllInject Severity: Severe Category: Trojan Path: file:_D:\DOWNLOADS\Xenos_2.3.2_[unknowncheats.me]_\BlackBoneDrv10.sys Detection Origin: Local machine Detection Type: Concrete Detection Source: Real-Time Protection Process Name: C:\Windows\System32\svchost.exe Security intelligence Version: AV: 1.393.1190.0, AS: 1.393.1190.0, NIS: 1.393.1190.0 Engine Version: AM: 1.1.23060.1005, NIS: 1.1.23060.1005 Getting "free games" from dodgy sites is a dangerous thing to do. Those types of freebies are the commonest ways that malicious infections are spread. Link to post Share on other sites More sharing options...
Kidiron Posted July 24, 2023 Author ID:1579154 Share Posted July 24, 2023 they arefalse tags and they arent games there game cheats Link to post Share on other sites More sharing options...
Recommended Posts