Jump to content

How to scan for root kits

D1117

By D1117
in Resolved Malware Removal Logs

 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Leave Malwarebytes & MS Defender antivirus as is. MS Defender is in good state, & up-to-date & its Tamper protection is fine. Let us find some quiet time, where you can get, Save, then run a KB5033372 cumulative update from Windows Update Catalog.

Save the download to the Desktop.

The CAB file download link is this.

This is 2023-12 Dynamic Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5033372)

Once the download is all saved, this is how to apply the update, using the Windows DISM on a elevated Command prompt.

Open an elevated Command window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in 

cmd.exe


click the line for "run as administrator"


It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
On that prompt-window,  Copy & Paste this command the whole line AS-IS  it is a long line. insure to get all of it copied. 

dism /Online /Add-Package /PackagePath:"C:\Users\David\Desktop\windows10.0-kb5033372-x64_42568aafdedaf72a9699250eb48da5f876cdc7c2.cab"

press Enter-key on keyboard   Monitor & have patience & write down the result

The command line above is based on having saved the download-file to the Desktop

 

 

Edited by Maurice Naggar
Link to post
Share on other sites
Porthos

Porthos

Posted
Posted
2 hours ago, D1117 said:

Io change any of the Malwarebytes settings, Tamper Protection seems to be set to ON and it does not want to all me to change anything.. Should I remove that? I think that will require a re-install of the program.

Note: If you forget your Tamper Protection password, it can be reset using your license key, or the key portion of your license, if your license is in the older ID and Key format. In the Tamper Protection window, click Reset password, then enter your license key (capitalized and including dashes) to set a new password. 

  • Like 1
Link to post
Share on other sites
D1117

D1117

Posted
  • Author
Posted

I will give things a day or so to settle down. On my end I have been dealing with several medical issues and fixing the financial problems caused by my original, badly chosen, response to the phishing letter. I am learning that several top scientists my wife worked with have also been badly bitten by the same scam. I am very appreciative of your assistance.

Have a good day.

Dave

Link to post
Share on other sites
D1117

D1117

Posted
  • Author
Posted

I did complete running that .CAB file install without any issues. Have not yet removed the tamper protection on the Malwarebytes, but will try that tomorrow. Otherwise, the system seems to be running well. No new unauthorized purchases. Should I run full scans more often for a few days rather than once-a-week scans? Any other advice?

Regards,

Dave K

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. For one thing, I had not realized till just now that you had been a victim of a phishing document. In future, if you get a random email with some document, do not Open it right away. You ( if you insist on looking at the document) should SAVE it as-is first to some folder. Then use your Antivirus to scan that document. Review the result before even ever opening the document in the first instance.

As far as Malwarebytes' Tamper protection, (a) that is about protecting from a outsider uninstalling the Malwarebytes program. Thus it is not a Windows OS related thing. This is a opt-in option in Malwarebytes settings.
See this support article https://support.malwarebytes.com/hc/en-us/articles/4402964326419-Restrict-uninstallation-of-Malwarebytes-for-Windows-v4

I believe we are close to wrapping up this case.
The Malwarebytes you have is on a Premium license. So Malwarebytes would be doing a daily scan.
You may run on-demand manual Scans with Microsoft Defender antivirus.

At this point, I'd like to gather 3 fresh sets of reports.

(  1  )

I would like a report set for review. This is a report only. This is the first beginning step so I can see what is what on this particular machine.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then Gather Logs

Have patience till the run has finished.
Attach the mbst-grab-results.zip from the Desktop to your reply..

(  2   )

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

(  3   )

Please run the following custom script. Read all of this before you start. The meaning of the "Fix button" operation here is just to run a custom script just for this particular machine.

This is a Inquiry report only. It will run quickly.

Please Close all open work before you actually do begin this run.

FRSTENGLISH,exe  program location:   Downloads folder. The tool is already on system. That is what we will use.

Please download the attached fixlist.txt file and save it to Downloads

Fixlist.txt<- < - - - -

NOTE. It's important that both files, FRSTENGLISH, and fixlist.txt are in the same location or the fix will not work.

Right-click with your mouse on  FRSTENGLISH and select "Run as Administrator" and reply Yes and allow it to proceed when prompted. That is important.

next, press the Fix button just once and wait.

You will see a green-color scroll display while FRST is running.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Downloads folder (Fixlog.txt) . Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

The system will be rebooted after the fix has run. Attach FIXLOG.txt with next reply.

Link to post
Share on other sites
D1117

D1117

Posted
  • Author
Posted

I think I ran everything. Let me know if I missed attaching a results file.

I also have noticed that I am unable to get other PCs in the house to attach to a shared printer I have on this PC, as well as a file share that I used to connect to using the Apple Files program SMB connection from my iPad. These aren't crucial, but I am wondering if there is a firewall issue going on? I have a net analyzer program on my iPad that seems to say there are lots of blocked ports. I have very little firewall experience. I can ping this PC from other computers on my network, I just cannot connect to shared files from the iPad or the shared printer. I can connect from this PC to another PC on the network and copy file to this one, so it seems to affect only incoming attempts.

Thanks for your help. I will be out of town most of Monday.

Regards, 

Dave

mbst-grab-results.zip Fixlog.txt SecurityCheck.txt

Link to post
Share on other sites
  • Solution
Maurice Naggar

Maurice Naggar

Posted
  • Solution
Posted

First of all, per the SecurityCheck report
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (enabled and up to date)
Microsoft Defender antivirus is ON.
--------------------------- [ FirewallWindows ] ---------------------------
Windows Defender Firewall (mpssvc) - The service is running
The system firewall is on.

These applications need your attention & follow-up to insure they get updated to latest publisher release version.

AMD Software v.22.6.1  Warning! Download Update
Microsoft 365 - en-us v.16.0.17029.20068 [+]

Microsoft SQL Server 2008 Setup Support Files  v.10.3.5500.0  Warning! This software is no longer supported.

Oracle VM VirtualBox 6.1.26 v.6.1.26  Warning! Download Update

Microsoft SQL Server 2012 Native Client  v.11.2.5643.3  Warning! This software is no longer supported.

Microsoft Office Professional Plus 2010 v.14.0.7015.1000  Warning! This software is no longer supported. Please use latest Microsift Office, Office Online or LibreOffice
 
TrueCrypt v.7.1a  Warning! This software is no longer supported. Please use VeraCrypt.

Microsoft SQL Server 2005 Compact Edition [ENU] v.3.1.0000  Warning! This software is no longer supported.

Backup and Sync from Google v.3.57.4256.0809  Warning! This software is no longer supported. Please use Google Drive.

7-Zip 19.00 (x64) v.19.00  Warning! Download Update
Uninstall old version and install new one.

TreeSize Free V2.4 v.2.4  Warning! Download Update

IrfanView 64 (remove only) v.4.42  Warning! Download Update
 
Microsoft Teams v.1.3.00.4461  Warning! Download Update

Zoom v.5.9.3 (3169)  Warning! Download Update

Skype™ 7.6 v.7.6.103  Warning! Download Update

Java 8 Update 73 v.8.0.730.2  Warning! Download Update
Uninstall old version and install new one (jre-8u391-windows-i586.exe).

Audacity 3.2.5 v.3.2.5  Warning! Download Update

VLC media player v.2.2.4  Warning! Download Update
 
Audacity 2.1.2 v.2.1.2  Warning! Download Update

QuickTime v.7.1.3.100  Warning! This software is no longer supported. Please uninstall it and use another software.

Windows Live Essentials v.16.4.3528.0331  Warning! This software is no longer supported. IS way way obsolete. UNINSTALL this
Microsoft has officially discontinued support for Windows Live Essentials, and as a result, the applications included in the suite may no longer receive updates or security patches. This lack of support could potentially leave your system vulnerable to security threats and compatibility issues.


Bonjour v.3.1.0.1  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Your pc does not need it.

Wondershare Helper Compact 2.6.0 v.2.6.0  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.

Skype Click to Call v.8.5.0.9167  Warning! Browser's toolbar. It can slow down the working of your browser and have violation privacy problems.

Important note: While this Windows 10, as of 13th Dec 2023, does have the latest OS update, Build 19045.3803.  That is good.  It is a fact that this Windows had no Windows Updates in the period 06/18/2023 to 12/10/2023.

As to the iPad and the printer sharing, I would refer you to the General PC help forum area

You may want to also check the Mac ( iPad) area at Bleepingcomputer forum this link

For printers https://www.bleepingcomputer.com/forums/f/138/external-hardware/

On networking https://www.bleepingcomputer.com/forums/f/21/networking/

The sole port reported as blocked by firewall rule, from your latest reports,  is 9034 .

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hello. Your system is good-to-go. This here is to cleanup the tools I had you use.

👌💢 Temporarily disable Microsoft SmartScreen to download the next software below

Let's go ahead and do some clean-up work and remove the tools and logs we've run.
Please download KpRm by kernel-panik and save it to your desktop.

  • right-click kprm_2-15.exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  •  
  • Delete mb-support-1.9.5.199.exe
  • Delete mbst-grab-results.zip on the Desktop.

Your system is good-to-go.
Sincerely.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.