Jump to content

MSBuild.exe RTP detection

Bojano

By Bojano
in Resolved Malware Removal Logs

 Share

Recommended Posts

Bojano

Bojano

Posted
Posted

Hi there,

I've recently kept getting notifications about blocked website coming from
 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

I used Norton and Malwarebytes scans and alse Norton Power Eraser and nothing helped.
After reading some advices in forums I disabled "Always register Malwarebytes in the Windows Security Center

Below I've attached my results from MBST

Thanks for your help

(end)

mbst-grab-results.zip

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. My name is Maurice. I will guide you going forward.

  • Removing pesky malware can be an involved set of tasks over separate runs. Have much patience. Follow my directions. 
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

    Do these 2 steps so that ALL folders & Files are set to SHOW, plus also, Turn OFF Windows Fast start.
    Show-Hidden-Folders-Files-Extensions
    https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

    Disable-Fast-Startup
    https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first

Upon completion of the save, Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well

Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.


This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

AFTER the completion of the Microsoft Safety Scanner run has completed, this is the next procedure to do.

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

NOTE-1:  This custom fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will attempt to clear Cache files of web browsers.  It will attempt to clear temporary file areas. It rebuilds the Winsock. Depending on the speed of your computer this fix may take 50-55 minutes or more.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

NOTICE: For potential outside readers,  This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause harm.

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The custom-run is good. The Windows System File Checker has made some corrections. 

Windows Resource Protection found corrupt files and successfully repaired them.
This last run has completed what was originally intended. 

This next procedure is just a quick run to do some inquiry lookup. It will not involve a "reboot".

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

No worries. I have a new one below. These are just inquiries. No need to worry.

This next procedure is just a quick run to do some inquiry lookup. It will not involve a "reboot".

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

 Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

As a next step, I suggest the following:
This is for a scan with ESET Onlinescanner (free). ESET is a well-respected, well-known entity and tool. ESET Onlinescanner checks for viruses, other malware, adwares, & potentially unwanted applications.
This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on CUSTOM scan  and select C drive to be scanned
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"
  • and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.
There is a progress window display. You may step away from machine &. Let it be. That is, once it is under way, you should leave it running. It will run for several hours.

  • At screen "Detections occurred and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
Edited by AdvancedSetup
Corrected font issue
  • Thanks 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thanks. One of the two items found & removed was in the Recycle Bin. The other one seemingly was a powershell script by the name

new1109.ps1

.
I would like to do a Inquiry run.

This next procedure is just a quick run to do some inquiry lookup. It will not involve a "reboot". This will run super quickly.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

(   2   )

One other scan here.

TrendMicro HouseCall scan
from this Link

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher
Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.

Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

I suggest a CUSTOM scan on C drive.

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.
The "Summary" at the end at "Review Results" is what matters.

Link to post
Share on other sites
Bojano

Bojano

Posted
  • Author
Posted

Hi,

Unfortunately, notifications still occure from MSBUILD, even though it was deleted by ESET. TrendMicro HouseCall scan found 1 application that I would say is safe,but i deleted it anyway to be certain.
My only solution now to get the Msbuild to stop trying to connect to external network is to end task throught Task Manager. Would the ESET Online scan help? What are yuor suggestions? 

Underneath is the fixlog

Thank for help once again

Fixlog.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. Thank you. I suggest to get the Malwarebytes current BETA version 4.6.4.286  and then see whether that helps.

You may get the beta by enabling BETA updates and checking for updates. Go to Settings, then click General tab.

image.png.8afd968da23bfe3a426c8e1e46f33834.png

This is the version with the fix.

image.png.3fc9d3de5ad2a81d250a1b382654012e.png

 

Link to post
Share on other sites
Bojano

Bojano

Posted
  • Author
Posted

Hi Maurice,

Thank for the suggestion, I updated my malwarebytes to the version 4.6.4 and started a scanned it. The logs of the run is shown below. Meanwhile, I analyzed autorun section in Task Manager, MSBUILD was starting with a VirtualBox file called VBoxSVC.exe. I deleted this file and turned off autorun. Now notifications are no longer appearing. Can this solve the issue? What are the steps to make sure the problem is solved?

Thanks for your help

MalBytesLog.txt

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

The Malwarebytes scan removed Malware.Heuristic.1001 ( which seem to be rogues). That is an excellent cleanup.

As to your removing task with VBoxSVC.exe That is very helpful, especially if you know that your machine is not supposed to run a VM running Virtualbox.

 

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it
guide & download link

Then be sure to close all web browsers after the download & before launching the tool.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

Guide article

Link to post
Share on other sites
Bojano

Bojano

Posted
  • Author
Posted

Hi,

There where some Chromium URLs detected and deleted, I will restart my Google Chrome just in case. Nothing else was detected. Additionally I run one more ESET Online scan just to be sure and it detected no malware fortunately.

I hope that is the end of this journey of long scans and frustration :D. What are your suggestions after all of this? Changing passwords, unistalling unused software?

I'm so grateful for your help, thank you very much for your time :)

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

We need to insure that 1 rogue "shortcut link" that was in Startup is really gone.

This next procedure is just a quick run. It will not involve a "reboot". This will run super quickly.

Please Close all open work before you actually do begin this run. Make sure to close Brave browser.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt <- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

As to your recent questions. Sure, you should Uninstall programs that you no longer use.  And changing passwords to strong passwords is a good security practice, especially after a incident with a trojan infection. 

1Password Strong Password Generator
https://1password.com/password-generator/

If you're really interested in Password strength see this post https://forums.malwarebytes.com/topic/284814-are-your-passwords-in-the-green/

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Very good. Excellent. 

Now a different scan with another security scanner. 

You should first Close as many of your open-user app-screens as possible. That is to say, Exit all that you do not need to have open.

This with Kaspersky KVRT tool.

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Next, Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\kacpi\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add 
-dontencrypt

Note the space between KVRT.exe and -dontencrypt

C:\Users\kacpi\DESKTOP\KVRT.exe -dontencrypt 

should now show in the Run box.

user posted image

That addendum to the run command is very important.


To start the scan select OK in the "Run" box.



The Windows Protected your PC window "may" open, IF SO then select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

 
  • In the new window ensure the following boxes are ticked:
    • System memory
    • Startup objects
    • Boot sectors
    • System drive
  • Then select "OK" and „Start scan“.

The Kaspersky tool is very thorough so will take a considerable time to complete, please allow it to finish. Also while Kaspersky runs do not use your PC for anything else..

  • completed: If entries are found, there will be options to choose. If "Cure" is offered, leave as it is. For any other options change to "Delete", then select "Continue".
  • Usually, your system needs a reboot to finish the removal process.
  • Logfiles can be found on your systemdrive (usually C: ), similar like this:

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20231004_203000.klr

  • Right click direct onto those reports, select > open with > Notepad.
  • Save the files and attach them with your next reply
  • Like 1
Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you. That is a very fine result.

Sophos Scan & Clean

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please close all other open applications and Do Not use your PC whilst the scan is in progress... This scan is very thorough so it may take several hours to complete, please be patient...

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your next reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result...

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Please attach that log on your next reply

Thank you

Link to post
Share on other sites
Bojano

Bojano

Posted
  • Author
Posted

I'm sorry, but the Sophos software "Scan and Clean" does now contain Removal Tool, i scanned the computer using it and as a result some cookies were deleted and files known by me as anticheat software were signed as "suspicious". Do you think this is really necessary to run another long scan? I would be happy to end on this, but I'm not sure if it is safe. No malware was found for 2 days.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

We can skip that run. 

I would recommend getting a readout report as to update status of some key apps.
Temporarily disable Microsoft SmartScreen to download the next software below 

Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.