Jump to content

Trojans took control of machine


Go to solution Solved by Maurice Naggar,

Recommended Posts

So recently ive made a mistake of downloading a really strong virus. It uninstalled windows defender completely and is replacing antiviruses to a fake one:
image.png.bdb2e655a4b1445d3a60bcfe3347e5a0.png

"You don’t have permission to modify files in this network location"

image.png.68fc13c40913e4eed77d34d1d21befa8.png

that is the fake antivirus i was talking about

image.png.38f1250b46e3b375892140884d668dfc.png

windows security and security central is missing

image.thumb.png.72f8b6860dc108069ad077f51db9b990.png

when i click "open windows security" nothing appears
please reply as soon as possible, thank you so much.

Link to post
Share on other sites

@miguel2323 Let's get the info to get the process started.

While you are waiting for the next qualified/approved malware removal expert helper to take on your case, even though you may have run the following Malwarebytes utility or its subsets, please carefully follow these instructions: Do not try any other cleaning of any kind after running the support tool. Use the computer as little as possible, or even better don’t use it at all except to check this topic and follow the instructions given.

Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Next.

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

"Windows Security Center"

Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

 

Then do the following after restart.

WARNING: Do Not click the Repair System under Advanced unless requested by a Malwarebytes support agent or authorized helper

  1. Download the Malwarebytes Support Tool.
  2. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file.
  3. In the User Account Control (UAC) pop-up window, click Yes to continue the installation.
  4. Run the MBST Support Tool.
  5. In the left navigation pane of the Malwarebytes Support Tool, click Advanced.
  6. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer.
  7. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste.

For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent.

 

 

Link to post
Share on other sites

Hello :welcome: @miguel2323 My name is Maurice. Please provide and attach the ZIP report mentioned above. Do you remember just on what site you dot the download file ? It somewhat looks like a Avast was installed. And if that is true, it is normal for the Microsoft Defender to be turned off ( that is, disabled ). Please provide the report so that I can review. I will guide you going forward.

When you are at a quiet moment, please also do this task.

I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

5 hours ago, Maurice Naggar said:

Hello :welcome: @miguel2323 My name is Maurice. Please provide and attach the ZIP report mentioned above. Do you remember just on what site you dot the download file ? It somewhat looks like a Avast was installed. And if that is true, it is normal for the Microsoft Defender to be turned off ( that is, disabled ). Please provide the report so that I can review. I will guide you going forward.

When you are at a quiet moment, please also do this task.

I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

  I did the steps mencioned, here is the file you asked for
SecurityCheck.txt

image.png

image.png

Link to post
Share on other sites

I automatically get advised each time you post a reply. A personal favor for me, please. Do not click on "Quote" when you begin a reply. Just simply start your text reply inside the white box for replies at the very bottom.

The Securitycheck does "not" show a actual "antivirus" to be running. I am going to ask that you run a special utility.

I suggest you run AV block remover (AVbr)

Just pick one of your permanent or unique Folder to save it to EXCEPT not the Downloads, NOT the Desktop. Any other Folder. Download and SAVE the file from this link

This tool will have a name AVbr.zip

To use the utility, you need:
1. Download the utility and unzip it to any place convenient for you.  ( Downloads folder, or, Desktop )
2. After unpacking (Extracting all content of the zip file)
3. Run the EXE file
4. If the utility does not start or gives an error, then Stop and let me know

During the operation of the utility, a folder ..\AV_block_remover will be created next to this file, containing, among other things:
file named "AV_block_remove_date-time.log" inside this folder. Please attach that log to your next post.

NEXT, keep going, and be very sure to do this ....because it is very important to do this.

I would like a report set for review. This is a report only.

Please download MALWAREBYTES MBST Support Tool
Be sure it is SAVEd.

Do a RIGHT-click on mb-support-1.9.2.9nn,exe & select "Run as administrator" and reply YES and ALLOW it to proceed.

click Advanced >>> then Gather Logs

Have patience till the run has finished. It may take several minutes to fully generate the report.
Attach the mbst-grab-results.zip from the Desktop to your reply..

Link to post
Share on other sites

Additional notes and additional suggestions.
That "screen" that has the top bar showing "Antivirus security"  and with that orange "v3.2.2.1" at the bottom left
IF you still see that, here is what I urge you to do.
Do not click on or in it. Just hover your mouse pointer over the screen, And then press and hold the ALT key on the keyboard and keep holding and then tap the F4 function-key
That 2 key-keyboard sequence should force that "screen" to close.

Additional actions to do in any event.

(   2   )

This is only a first step. Download and save a file named Iexplore.exe from here https://www.bleepingcomputer.com/download/rkill/dl/11/

and once the browser has finished the download, can you RUN that from there.

That Iexplore is another name for the tool known as RKILL by Bleepingcomputer. 

(   3   )

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
  • Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
  • Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
  • Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
  • Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
  • Then click the Rescan button. Agree to the VirusTotal EULA
  • Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

image.png

Link to post
Share on other sites

Thanks for the 2 reports. That is going to be super helpful. The AVBR required a system Restart. That is normal. Please do what I listed above in my post https://forums.malwarebytes.com/topic/302350-a-virus-took-control-of-my-admin-perms/?do=findComment&comment=1589702

Link to post
Share on other sites

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

  • when done, I need the MBAR logs.
  • Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.
Link to post
Share on other sites

Be sure to keep me advised about your progress with the MBAR run. We have lots more to do and cleanup. The rogue described as "antivirus security" is a rogue that looks to be from some 

Quote

Xylent Groffo

It looks like  it have has hooks to get it to persist. There is more cleanup that needs to be done.

Link to post
Share on other sites

Hello, again. I am still hoping to get from you the reports from MBAR tool  ( that I posted about before). AFTER that has been completed, here is the next procedure to clean-up the rogue that had a hold of your machine. Take your time. Do not rush this. 

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

Link to post
Share on other sites

The custom-run is good. The Windows System File Checker has made some corrections.

Windows Resource Protection found corrupt files and successfully repaired them.

This last run has completed what was originally intended.
It removed a bunch of other threats that were deployed by trojans.
This run I believe has removed the other leftover infectious elements. BUT we are not done. There is more work to do.

As I wrote earlier, the MBAR tool had removed 2 trojans.
Malwarebytes can detect and remove most malware with no further actions required for free.

Please download, install, update Malwarebytes
https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773and post back the log as shown below.
Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Keep in mind, even after that run, there is yet more to do.

( 2 ) 

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

  • Internet Services
    Windows Firewall
    System Restore
    Security Center/Action Center
    Windows Update
    Windows Defender
    Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file.  

( 3 ) 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Edited by Maurice Naggar
Link to post
Share on other sites

  • AdvancedSetup changed the title to Trojans took control of machine

There are some identified threats by the Malwarebytes that are present and that were not "ticked" ( meaning not specifically accepted by you for action).
There is PUM.Optional.DisabledSecurityCenter and also PUP.Optional.BundleInstaller

The log-report also said in Portuguese

Nenhuma ação pelo usuário


in English

No action by user


IF you have lots of open application windows, you should see about Closing some or most so that you have a good clear view.

Then Launch Malwarebytes program. Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

MB4_scan_tick_ALL.jpg.d5c4071c62ed66534301fbb217b93bc0.jpg

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.6c45445994d4125c0b617ac7c5551e03.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

(   2   )

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Attach the clean log from Adwcleaner when all completed.

 

There is much more even after this.

 

Link to post
Share on other sites

Thank you. Both of those scan results are good cleanups. But there is more to do.
Do understand that since the install of Malwarebytes, that it is now the "resident" security app. It is in a 2 week Trial mode. The real-time protections of Malwarebytes will keep the machine safe from further harm.
Eventually, we can get back all the protections of Microsoft Defender antivirus; but that will take other extra steps.
I believe that this machine is missing some 3 security related Windows services.

What I would like to do at this point, is to do 2 or 3 scans with different on-demand trusted scanners.
 As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.