miguel2323 Posted September 17, 2023 ID:1589566 Share Posted September 17, 2023 So recently ive made a mistake of downloading a really strong virus. It uninstalled windows defender completely and is replacing antiviruses to a fake one: "You don’t have permission to modify files in this network location" that is the fake antivirus i was talking about windows security and security central is missing when i click "open windows security" nothing appears please reply as soon as possible, thank you so much. Link to post Share on other sites More sharing options...
Porthos Posted September 17, 2023 ID:1589567 Share Posted September 17, 2023 @miguel2323 Let's get the info to get the process started. While you are waiting for the next qualified/approved malware removal expert helper to take on your case, even though you may have run the following Malwarebytes utility or its subsets, please carefully follow these instructions: Do not try any other cleaning of any kind after running the support tool. Use the computer as little as possible, or even better don’t use it at all except to check this topic and follow the instructions given. Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start. Show-Hidden-Folders-Files-Extensions https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/ Disable-Fast-Startup https://forums.malwarebytes.com/topic/299350-disable-fast-startup/ Next. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the Malwarebytes for Windows 😃. Close Malwarebytes. Then do the following after restart. WARNING: Do Not click the Repair System under Advanced unless requested by a Malwarebytes support agent or authorized helper Download the Malwarebytes Support Tool. In your Downloads folder, open the mb-support-x.x.x.xxx.exe file. In the User Account Control (UAC) pop-up window, click Yes to continue the installation. Run the MBST Support Tool. In the left navigation pane of the Malwarebytes Support Tool, click Advanced. In the Advanced Options, click only Gather Logs. A status diagram displays the tool is Getting logs from your computer. A zip file named mbst-grab-results.zip will be saved to the Public desktop, please attach that file in your next reply to this topic. Please do NOT copy and paste. For the short time between when you post the diagnostic logs, and when your helper weighs in, please take no further self-directed remedial actions that will invalidate the diagnostic logs you will have sent. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 17, 2023 ID:1589584 Share Posted September 17, 2023 Hello @miguel2323 My name is Maurice. Please provide and attach the ZIP report mentioned above. Do you remember just on what site you dot the download file ? It somewhat looks like a Avast was installed. And if that is true, it is normal for the Microsoft Defender to be turned off ( that is, disabled ). Please provide the report so that I can review. I will guide you going forward. When you are at a quiet moment, please also do this task. I would recommend getting a readout report as to update status of some key apps. Temporarily disable Microsoft SmartScreen to download the next software below Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Link to post Share on other sites More sharing options...
miguel2323 Posted September 18, 2023 Author ID:1589615 Share Posted September 18, 2023 5 hours ago, Maurice Naggar said: Hello @miguel2323 My name is Maurice. Please provide and attach the ZIP report mentioned above. Do you remember just on what site you dot the download file ? It somewhat looks like a Avast was installed. And if that is true, it is normal for the Microsoft Defender to be turned off ( that is, disabled ). Please provide the report so that I can review. I will guide you going forward. When you are at a quiet moment, please also do this task. I would recommend getting a readout report as to update status of some key apps. Temporarily disable Microsoft SmartScreen to download the next software below Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt I did the steps mencioned, here is the file you asked for SecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589696 Share Posted September 18, 2023 I automatically get advised each time you post a reply. A personal favor for me, please. Do not click on "Quote" when you begin a reply. Just simply start your text reply inside the white box for replies at the very bottom. The Securitycheck does "not" show a actual "antivirus" to be running. I am going to ask that you run a special utility. I suggest you run AV block remover (AVbr) Just pick one of your permanent or unique Folder to save it to EXCEPT not the Downloads, NOT the Desktop. Any other Folder. Download and SAVE the file from this link This tool will have a name AVbr.zip To use the utility, you need: 1. Download the utility and unzip it to any place convenient for you. ( Downloads folder, or, Desktop ) 2. After unpacking (Extracting all content of the zip file) 3. Run the EXE file 4. If the utility does not start or gives an error, then Stop and let me know During the operation of the utility, a folder ..\AV_block_remover will be created next to this file, containing, among other things: file named "AV_block_remove_date-time.log" inside this folder. Please attach that log to your next post. NEXT, keep going, and be very sure to do this ....because it is very important to do this. I would like a report set for review. This is a report only. Please download MALWAREBYTES MBST Support Tool Be sure it is SAVEd. Do a RIGHT-click on mb-support-1.9.2.9nn,exe & select "Run as administrator" and reply YES and ALLOW it to proceed. click Advanced >>> then Gather Logs Have patience till the run has finished. It may take several minutes to fully generate the report. Attach the mbst-grab-results.zip from the Desktop to your reply.. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589702 Share Posted September 18, 2023 Additional notes and additional suggestions. That "screen" that has the top bar showing "Antivirus security" and with that orange "v3.2.2.1" at the bottom left IF you still see that, here is what I urge you to do. Do not click on or in it. Just hover your mouse pointer over the screen, And then press and hold the ALT key on the keyboard and keep holding and then tap the F4 function-key That 2 key-keyboard sequence should force that "screen" to close. Additional actions to do in any event. ( 2 ) This is only a first step. Download and save a file named Iexplore.exe from here https://www.bleepingcomputer.com/download/rkill/dl/11/ and once the browser has finished the download, can you RUN that from there. That Iexplore is another name for the tool known as RKILL by Bleepingcomputer. ( 3 ) Create an Autoruns Log: Please download Sysinternals Autoruns from here: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it. Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard. Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images Then click the Rescan button. Agree to the VirusTotal EULA Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns. Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply. Link to post Share on other sites More sharing options...
miguel2323 Posted September 18, 2023 Author ID:1589703 Share Posted September 18, 2023 During the process of AVbr and saving mbst support tool, my pc restarted suddenly. Is that normal? Also, here it is the log AVbr collected: AV_block_remove_2023.09.18-13.20.log its been a while, i collected the logs successfully from mbst too: mbst-grab-results.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589705 Share Posted September 18, 2023 Thanks for the 2 reports. That is going to be super helpful. The AVBR required a system Restart. That is normal. Please do what I listed above in my post https://forums.malwarebytes.com/topic/302350-a-virus-took-control-of-my-admin-perms/?do=findComment&comment=1589702 Link to post Share on other sites More sharing options...
miguel2323 Posted September 18, 2023 Author ID:1589706 Share Posted September 18, 2023 I did the new steps you mencioned, here it is: Rkill.txtAutoruns.zip 1 Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589707 Share Posted September 18, 2023 Thank you. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589709 Share Posted September 18, 2023 This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed. get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it. Disregard the title subject of the topic.Run the MBAR tool as listed here https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes when done, I need the MBAR logs. Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created. Both files can be found in the extracted MBAR folder on your Desktop. Please attach both files in your next reply. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589719 Share Posted September 18, 2023 Be sure to keep me advised about your progress with the MBAR run. We have lots more to do and cleanup. The rogue described as "antivirus security" is a rogue that looks to be from some Quote Xylent Groffo It looks like it have has hooks to get it to persist. There is more cleanup that needs to be done. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 18, 2023 ID:1589779 Share Posted September 18, 2023 Hello, again. I am still hoping to get from you the reports from MBAR tool ( that I posted about before). AFTER that has been completed, here is the next procedure to clean-up the rogue that had a hold of your machine. Take your time. Do not rush this. Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine. Please Close all open work before you actually do begin this run. FRSTENGLISH,exe program location: Downloads folder. The tool is already on system. That is what we will use. Please download the attached fixlist.txt file and save it to Downloads Fixlist.txt <- < - - - - NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work. Right-click with your mouse on FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important. next, press the Fix button just once and wait. You will see a green-color scroll display while FRST is running. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply. NOTICE: For potential outside readers, This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm. Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1589788 Share Posted September 19, 2023 im home now, im gonna do the things you asked for Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1589793 Share Posted September 19, 2023 i'll be sending the logs soon Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 19, 2023 ID:1589797 Share Posted September 19, 2023 That's a very good run. MBAR has found ( at least ) 2 trojans. Keep doing all of the rest I had listed before, including also the custom Fix too. Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1589798 Share Posted September 19, 2023 here it is system-log.txtmbar-log-2023-09-18 (21-47-48).txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 19, 2023 ID:1589799 Share Posted September 19, 2023 thank you. keep on with the rest Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1589801 Share Posted September 19, 2023 done Fixlog.txt hey, im logging off for now. Please, send me the next instructions, I'll be responding tommorow (BRT). Thanks for your help. Goodnight Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 19, 2023 ID:1589806 Share Posted September 19, 2023 (edited) The custom-run is good. The Windows System File Checker has made some corrections. Windows Resource Protection found corrupt files and successfully repaired them. This last run has completed what was originally intended. It removed a bunch of other threats that were deployed by trojans. This run I believe has removed the other leftover infectious elements. BUT we are not done. There is more work to do. As I wrote earlier, the MBAR tool had removed 2 trojans. Malwarebytes can detect and remove most malware with no further actions required for free. Please download, install, update Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows and do a Threat Scan with Malwarebytes https://support.malwarebytes.com/hc/en-us/articles/360038984773and post back the log as shown below. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 Keep in mind, even after that run, there is yet more to do. ( 2 ) Download Farbar's Service Scanner utility and Save to your Desktop. Right-Click on fss.exe and select Run As Administrator. Answer Yes to ok when prompted. If your firewall then puts out a prompt, again, allow it to run. Once FSS is on-screen, be sure the following items are check-marked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Other services Click on "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please attach that file. ( 3 ) I would recommend getting a readout report as to update status of some key apps. Download SecurityCheck by glax24 from here and save the tool on the desktop. If Windows's SmartScreen block that with a message-window, then Click on the MORE INFO spot and over-ride that and allow it to proceed. This tool is safe. Smartscreen is overly sensitive. Right-click with your mouse on the Securitycheck.exe and select "Run as administrator" and reply YES to allow to run & go forward Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file. Attach it with your next reply. You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt Edited September 19, 2023 by Maurice Naggar Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1589971 Share Posted September 19, 2023 done Malwarebytes logs.txtFSS.txtSecurityCheck.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 19, 2023 ID:1590000 Share Posted September 19, 2023 There are some identified threats by the Malwarebytes that are present and that were not "ticked" ( meaning not specifically accepted by you for action). There is PUM.Optional.DisabledSecurityCenter and also PUP.Optional.BundleInstaller The log-report also said in Portuguese Nenhuma ação pelo usuário in English No action by user IF you have lots of open application windows, you should see about Closing some or most so that you have a good clear view. Then Launch Malwarebytes program. Next click the blue button marked Scan. When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical. >>>>>> 👉 You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected). <<<< 💢 Please double verify you have that TOP check-box tick marked. and that then, all lines have a tick-mark Then click on Quarantine button. Then, locate the Scan run report; export out a copy; & then attach in with your reply. See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4 ( 2 ) Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed. It will not take much time, First download & save it guide & download link Then be sure to close all web browsers after the download & before launching the tool. Then go to where the EXE file is saved. Start Adwcleaner. Then do a scan with Adwcleaner Guide article Attach the clean log from Adwcleaner when all completed. There is much more even after this. Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1590004 Share Posted September 19, 2023 done AdwCleaner[C00].txtresults.txt results.txt Link to post Share on other sites More sharing options...
miguel2323 Posted September 19, 2023 Author ID:1590005 Share Posted September 19, 2023 Oops, i've sent 2 by mistake, my bad. Link to post Share on other sites More sharing options...
Maurice Naggar Posted September 19, 2023 ID:1590013 Share Posted September 19, 2023 Thank you. Both of those scan results are good cleanups. But there is more to do. Do understand that since the install of Malwarebytes, that it is now the "resident" security app. It is in a 2 week Trial mode. The real-time protections of Malwarebytes will keep the machine safe from further harm. Eventually, we can get back all the protections of Microsoft Defender antivirus; but that will take other extra steps. I believe that this machine is missing some 3 security related Windows services. What I would like to do at this point, is to do 2 or 3 scans with different on-demand trusted scanners. As a next step, I suggest the following: This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications. This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe It will start a download of "esetonlinescanner.exe" Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on CUSTOM scan and select C drive to be scanned Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours. At screen "Detections occurred and resolved" click on blue button "View detected results" On next screen, at lower left, click on blue "Save scan log" View where file is to be saved. Provide a meaningful name for the "File name:" On last screen, set to Off (left) the option for Periodic scanning Click "save and continue" Please attach the report file so I can review Link to post Share on other sites More sharing options...
Recommended Posts