Jump to content

Trojan.Multi.GenAutorunReg.a Object name: "System Memory" in KVRT scan


Recommended Posts

I ran a Kaspersky Virus Removal Tool scan today and found this malware "Trojan.Multi.GenAutorunReg.a" when I tried to remove it my computer when haywire. The program wasn't even being cured/disinfected yet, but it was in the box for me to say to cure or skip it. When I was looking at the scan my computer wouldn't open any applications and would even tell me "This file has been removed or is not installed where the shortcut opens" something along those lines but it was mainly that every application had me removed, or I didn't have permissions to open anything. Then a bunch of ERROR messages began to pop up asking me to terminate programs like Razer or some other things that I believe were drivers and sometimes would even pop up a browser.

I can't tell if this is a false positive or not. I do download files from some unsavory sources, but I usually ask about them on reddit, and everyone says they are usually safe.

 

Annotation 2023-09-09 182350.png

Link to post
Share on other sites

Also read another thread about needing a scan report from malwarebytes which is understandable, but malwarebytes is simply not picking up whatever this malware is even with the "scan for rootkits" option turned on. I don't know if I'm using the "scan for rootkits" option appropriately or not because I do close malwarebytes on every shutdown and I do have malwarebytes "open on startup" disabled within task manager. I'm pretty sure rootkits have something to do with the boots and memory, so idk.

Here is the scan using the Free premium trial of malwarebytes, so I should have full coverage temporarily.

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/9/23
Scan Time: 6:36 PM
Log File: c543dadc-4f69-11ee-8ed2-00d8611a8b2f.json

-Software Information-
Version: 4.6.0.277
Components Version: 1.0.2114
Update Package Version: 1.0.75099
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3324)
CPU: x64
File System: NTFS
User: DESKTOP-0RACTMC\No Name

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 410883
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 8 min, 23 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

@JustAPerson2001

While you are waiting for the next qualified/approved malware removal expert helper to take on your case, even though you may have run the following Malwarebytes utility or its subsets, please carefully follow these instructions: Do not try any other cleaning of any kind after running the support tool. Use the computer as little as possible, or even better don’t use it at all except to check this topic and follow the instructions given.

First, Restart the computer.

Then do the following after restart.

WARNING: Do Not click the Repair System under Advanced unless requested by a Malwarebytes support agent or authorized helper

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

Thank you.

Link to post
Share on other sites

Had a friend look at this who also does a bit of cybersecurity but primarily works in networking and has to know some basics for his job. He said "Just torch it and reset everything". Anyone else looking at this think the same or is the my data still salvageable? He says the virus or malware may be attached to something and has messed with my registry files, so he assumes that I could possibly just erase everything and it be fixed. I'd prefer not to do that though, so I'm looking for another solution if there are any.

Link to post
Share on other sites

Hello :welcome: @JustAPerson2001 My name is Maurice. I will guide you. Let's keep these principles as we go along.

  • Checking for actual  malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • The screen-grab at the top, of the Kaspersky, seems to be flagging the Hosts file; but it is not real detailed.
  • There are several known trusted scanners that we can use to scan this Windows system.
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

This following advice is just a first step scan.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

We will do more after this. Have much patience and stick with me on this case.

Link to post
Share on other sites

The MS Safety Scanner found no threats. One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.
The "Summary" at the end at "Review Results" is what matters.

Link to post
Share on other sites

I have to mention that we here ( helpers and Experts) rely totally on known security scanners and the results reported in their logs.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

  • now Click the General tab.
  • Under Application updates, click the Check for updates button.

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

@Maurice Naggar

Here you go. I think I did it right.

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/11/23
Scan Time: 1:55 PM
Log File: b7f52ab8-50d4-11ee-9063-00d8611a8b2f.json

-Software Information-
Version: 4.6.0.277
Components Version: 1.0.2114
Update Package Version: 1.0.75183
License: Trial

-System Information-
OS: Windows 10 (Build 19045.3324)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 401288
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 2 min, 28 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

That scan is perfectly fine and great. Remember to just "attach" reports as we go along. There is a lot of scrolling to do here.

[ Do a custom scan with Microsoft Defender Antivirus ]

Just want to do a visual check in Windows Security to see (visually) that Microsoft Defender is on , and to do a Custom scan.

From the Windows Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

Look to see that Microsoft Defender is shown & available for use.

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.   Click that & select CUSTOM scan & then pick the C drive  & have it go forward.

Once it has started the scan phase, you can go take a long break.   Let me know the results.

Link to post
Share on other sites

That is great. I do believe we can proceed to wrap-up this case. I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

@Maurice Naggar Possibly going to do a system reset anyways. I've been wanting to try windows 10 LTSC. I just want to know if I can do it and keep my files now.

SecurityCheck by glax24 & Severnyj v.1.4.0.54 [06.12.21]
WebSite: www.safezone.cc
DateLog: 13.09.2023 18:42:41
Path starting: C:\Users\No Name\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: No Name
VersionXML: 10.66is-03.09.2023
___________________________________________________________________________

Windows 10(6.3.19045) (x64) Core Release: 2009 Lang: English(0409)
Installation date OS: 19.03.2021 21:17:45
LicenseStatus: Windows(R), Core edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Users\No Name\AppData\Local\Programs\Opera GX\Launcher.exe
SystemDrive: C: FS: [NTFS] Capacity: [930.4 Gb] Used: [465 Gb] Free: [465.4 Gb]
------------------------------- [ Windows ] -------------------------------
User Account Control enabled (Level 3)
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (mpssvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (enabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Malwarebytes version 4.6.1.280 v.4.6.1.280
-------------------------- [ SecurityUtilities ] --------------------------
HitmanPro 3.8 v.3.8.30.326
--------------------------- [ OtherUtilities ] ----------------------------
calibre 64bit v.5.44.0 Warning! Download Update
NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112
Oracle VM VirtualBox 7.0.10 v.7.0.10
SumatraPDF v.3.4.6
Python 3.10.6 (64-bit) v.3.10.6150.0 Warning! Download Update
Python 3.11.4 (64-bit) v.3.11.4150.0 Warning! Download Update
Python 3.8.1 (32-bit) v.3.8.1150.0 Warning! Download Update
Microsoft Visual Studio Code (User) v.1.81.1
Python 3.7.4 (32-bit) v.3.7.4150.0 Warning! Download Update
Notepad++ (32-bit x86) v.7.6.4 Warning! Download Update
Steam v.2.10.91.91
Epic Games Launcher v.1.1.183.0
------------------------------- [ Backup ] --------------------------------
Microsoft OneDrive v.23.174.0820.0003 [+]
------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 5.70 (64-bit) v.5.70.0 Warning! Download Update
------------------------------- [ Imaging ] -------------------------------
Krita (x64) 5.0.0 v.5.0.0.52
-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.0.0.309 Warning! Download Update
--------------------------------- [ P2P ] ---------------------------------
qBittorrent v.4.5.5
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 211 v.8.0.2110.12 Warning! Download Update
Uninstall old version and install new one (jre-8u381-windows-i586.exe).
-------------------------------- [ Media ] --------------------------------
VLC media player v.3.0.18
Spotify v.1.2.19.941.gbf202593
Audacity 2.4.2 v.2.4.2 Warning! Download Update
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Creative Cloud v.4.3.0.256 Warning! Download Update
Adobe Flash Player 32 NPAPI v.32.0.0.465 Warning! This software is no longer supported. Please uninstall it.
Adobe Flash Player 32 PPAPI v.32.0.0.465 Warning! This software is no longer supported. Please uninstall it.
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox (x64 en-US) v.117.0
Opera GX Stable 101.0.4843.81 v.101.0.4843.81
Google Chrome v.117.0.5938.62 [+]
Microsoft Edge v.116.0.1938.81 [+]
------------------ [ AntivirusFirewallProcessServices ] -------------------
HitmanPro Scheduler (HitmanProScheduler) - The service is running
C:\Program Files\HitmanPro\hmpsched.exe v.3.8.30.326
Malwarebytes Service (MBAMService) - The service has stopped
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\MsMpEng.exe v.4.18.23080.2006
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23080.2006-0\NisSrv.exe v.4.18.23080.2006
Microsoft Defender Antivirus Service (WinDefend) - The service is running
Microsoft Defender Antivirus Network Inspection Service (WdNisSvc) - The service is running
---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.6.15 Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware. Possible you became a victim of fraud or social engineering. Computer experts no longer recommend this program.
JDownloader 2 v.2.0 Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall it and execute PC scanning using Malwarebytes Anti-Malware and Malwarebytes AdwCleaner. Before uninstallation and scanning it is necessary to consult in the forum where cure is provided for you!!!
----------------------------- [ End of Log ] ------------------------------ 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.