Jump to content

Virus Suspicion - AddInUtil.exe


Recommended Posts

Yesterday I was surfing on a web page and I got a popup window of a suspicious domain which I closed immediately, I have the Ransomware protection of my windows defender and I have some folders locked so just at that moment I got this alert.

Blocked application or process: AddInUtil.exe
Protected folder: %windir% "Microsoft.NET" "Framework64" v2.0.50727 "CONFIG".

I googled it, and it says it is wmiprvse virus packed.

I did scan with malwarebytes and mbar tool and they found nothing.

Help Please

Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:    @John151515

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim.
  • Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections.
  • If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting. This is a report only.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

Please enable System Protection and create a new System Restore Point

ATTENTION: System Restore is disabled (Total:118 GB) (Free:25.26 GB) (21%)

 

How to Turn On or Off System Protection for Drives in Windows 10
https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html

How to Create a System Restore Point in Windows 10
https://www.tenforums.com/tutorials/4571-create-system-restore-point-windows-10-a.html

 

 

There is something trying to run PowerShell but you have Controlled Folder Access enabled so it was blocked.

 

Date: 2023-08-02 13:53:09
Description:
Controlled Folder Access blocked C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe from modifying %system%\CatRoot.
Detection time: 2023-08-02T18:53:09.649Z
User: LAPTOP-I3KV5ITE\JMBC
Path: %system%\CatRoot
Process name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Security Intelligence Version: 1.393.2082.0
Engine version: 1.1.23070.1005
Product version: 4.18.23050.9

 

 

 

 

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\JMBC\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Sorry for the delay friend, I was working at home, I will look at the system protection while I leave you the file that I left the tool, and about the Catroot and powershell that I get since I activate the folder protection is not whether it is normal or not.

While running frst I got 2 alerts for access to folders I do not know if that limited something in the repair, I will wait for your answer friend, thanks.

 

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Thank you @John151515

Overall the logs looks to have run well.

Let me have you run the following scan

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

  • Root Admin

That scan found nothing.

Let's try a couple others.

 

 

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

 

 

 

Link to post
Share on other sites

  • Root Admin

Thank you @John151515

Please go ahead then and run this scanner from ESET

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Link to post
Share on other sites

  • Root Admin

Let me have you run the following again, please

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system.


Please make the following changes.

 

  • Temporarily disable your antivirus real-time protection or other security software first if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

 


Next, run these steps and post back the logs as an attachment when ready.


[ 1 ]

Malwarebytes for Windows

  • If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
  • After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed, make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

[ 2 ]

Malwarebytes AdwCleaner

  • Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
  • Double-click to run the program - Malwarebytes AdwCleaner guide
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine to finish the cleaning process.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach that log to your next reply.
     
  • If No Detections are found, Click Skip Basic Repair

    WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper


 

RESTART THE COMPUTER Before running Step 3

[ 3 ]

Gather MBST Logs

Please do the following so that we may take a closer look at your system for any possible infections.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

    WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper

 

Thank you

 

Link to post
Share on other sites

  • Root Admin

Thank you for the logs.

How is the computer running now?

Are you still seeing any signs of infection or any alerts?

 

Please run the following

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

Link to post
Share on other sites

Well friend, Catroot and powershell notifications don't come out much anymore, before it was all the time although I haven't been using the pc, I only do the steps you send me.

It also seems that we removed an Adware that had not been detected before and ESET detected a Hacktool in a Photoshop which I had pirated because designing is my hobby, so before running Securitycheck I removed all pirated programs (Photoshop and Illustrator)

I should be more careful with that and with browsing the internet

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Please uninstall, update, or otherwise address the following as appropriate for your system

 

NVIDIA GeForce Experience 3.24.0.135 v.3.24.0.135 Warning! Download Update
Microsoft Visual Studio Code (User) v.1.79.2 Warning! Download Update
Python 3.11.1 (64-bit) v.3.11.1150.0 Warning! Download Update
WinRAR 6.11 (64-bit) v.6.11.0 Warning! Download Update
Zoom v.5.12.8 (10232) Warning! Download Update

 

Then restart the computer and check for Windows Updates and install any found

 

Keep me posted

 

Link to post
Share on other sites

Doing all these steps if the usual Powershell and Catroot alert has continued to appear (is that normal, do I allow the process to do it?) It is something that appears since I activate the protection against Windows Defender Ransomware

on the other hand my computer is better now, the pirated softwares were removed and we also removed adware and hacktools

the alert I came for from Addinutil didn't show up anymore only when I got the suspicious domain popup

My windows is up to date and now I'm up to date .NET Framework 3.5, 4.8 and 4.8.1 Cumulative Update Preview for Windows 10 Version 22H2 for x64

I will be waiting for your instructions, Thank you

Link to post
Share on other sites

  • Root Admin

Using Google Translate I see the following

EITHER
  Access to the protected folder is blocked
08/3/2023 4:54 PM m.
0 The administrator blocked this action.
Low
/\
Blocked application or process: setup.exe
Protected folder: %windir%\SystemTemp\Crashpad\attachments
Blocked by: Controls access to the folder
You can allow apps to access your protected folders, but you should only allow apps that you trust.
Configuring Controlled Folder Access

 

Do you have a program called Crashpad installed ?

 

 

 

The update of .NET may have triggered it due to the Controlled Folder Access setting.

Let me have you do the following

 

[ 1 ]

Please download the following tool

Farbar Service Scanner and run it on the computer with the issue
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

 

Make sure the following options are checked:

  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center/Action Center
  • Windows Update
  • Windows Defender

Click "Scan"

It will create a log (FSS.txt) in the same directory the tool is run.
Please attach the log to your next reply.

 

[ 2 ]

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.
  • NOTE: It will take a long time to fully complete. ALL of the VirusTotal columns must be fully populated before it's done.

 

 

image.png

 

 

 

[ 3 ]

Click on  START - RUN and type in SIGVERIF and click OK
 
This is a Microsoft File Signature Verification program that will check the status of some files for us.

image.png

  • Click on the  START button and let it run. 
  • It will popup a box when it's done to show the status, you can close that box.
  • Close the  File Signature Verification application.
  • On Windows 7 / 10 find and attach the file C:\Users\Public\Documents\SIGVERIF.TXT to your next reply.
  • DO NOT post the log directly into your reply, attach the file please.
 
 

Thank you

 

Link to post
Share on other sites

  • Root Admin

The logs don't indicate an obvious program launch.

Let me have your run the following @John151515

You will need to send Sophos an email to get a link to download the scanner, please do so

 

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.