Persistent Malware on Windows 11

[LizAtherton]

Hi. I had my wifi hacked intentionally and reloaded windows numerous times. Ive now factory reset and flashed BIOS on my PC but need to ensure that I dont have malware on my pc. 

Malwarebytes has scanned my pc and found malware opening ports 443 and pc had slowed down, but it kept returning. Now I am seeing more apps running in Task Manager that dont have digital signatures. Can someone please help me. Its gone through the network to another pc as well.

[Porthos]

@LizAtherton

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Please do the following so that we may take a closer look at your system for any possible infections.

Do these 2 steps FIRST so that files and folders are set to SHOW, plus also, Turn OFF Windows Fast Start.
Show-Hidden-Folders-Files-Extensions
https://forums.malwarebytes.com/topic/299345-show-hidden-folders-files-extensions/

Disable-Fast-Startup
https://forums.malwarebytes.com/topic/299350-disable-fast-startup/

Then please restart the computer and then do the following.

WARNING: Do Not click the Repair option under Advanced unless requested by a Malwarebytes support agent or authorized helper

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool. The tool also downloads and runs a file called FRSTEnglish. Please allow it to run.
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine 
• A zip file named mbst-grab-results.zip will be saved to the Desktop or on the hidden Public desktop (usually C:\Users\Public\Desktop), please upload that file on your next reply

• Then be patient for the next expert to take your case.

Thank you

 

• 
• 

 

Edited March 17 by Porthos

[AdvancedSetup]

Hello @LizAtherton

Sorry for the delay. I found and removed our block for Spam on our system. You should be able to post now.

I was able to get your logs from our internal Support Team.

The logs don't indicate an immediate obvious threat but let's do some clean up and further scans to make sure.

 

The logs indicate you have ESET antivirus on the system. Please temporarily disable the real-time protection and run the following fix. Once the fix has ran make sure that ESET real-time protection is turned back on.

 

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Zeus\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[LizAtherton]

Ok thanks ...here's the file

Fixlog.txt

[AdvancedSetup]

Thank you for the log. That ran well

Please run the following scanner

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

[LizAtherton]

Hi there. 

I have done all the above and just yesterday had another RPT detection on my pc. I have since scanned with Malwarebytes, ESET and Kaspersky with no results.  I have not imported browser settings into my new Windows and have also flashed the bios, yet this keeps coming back! 

Can you please help?

[AdvancedSetup]

All emails can cause this. Any email that has an Ad or link to any site that is on a known blocked list is going to cause an alert to be triggered.

If you scan your computer I'm sure you will probably not find any infection. But if you get an incoming email that has some type of link to a bad site or blocked site then it will trigger.

That does not mean you're infected. If you get this alert with NO program running then that's different.

 

Please run the following

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

 

[AdvancedSetup]

Please post back the log from ESET

Then run the following Kaspersky scan and post back it's log too

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[LizAtherton]

Here is the security check text file. The screenshot is from Kaspersky where files are locked. Is this ok?

SecurityCheck.txt

[AdvancedSetup]

Thank you for the Kaspersky log.

Do you have the ESET scan log?

 

Please update the following

 

• Microsoft 365 Apps for business - en-us v.16.0.17425.20146 Warning! Download Update | How Install Office updates?
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 v.14.32.31326.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326 v.14.32.31326.0 Warning! Download Update
• Zoom v.5.17.10 (33775) Warning! Download Update

 

Then check for Windows Updates and install any found.

 

Then RESTART the computer and run the following

 

 

 

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

[LizAtherton]

I have uploaded the SecurityCheck.txt again...please see attached.

 

I also ran the scan MSERT.exe file without checking the hidden files and ran it again once showing hidden files. Please see log attached. The MSERT first scan did come up with this VirTool:Win32/DefenderTamper and when I clicked on the link it took me to this page: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=VirTool%3AWin32%2FDefenderTamperingRestore&product=13. The second scan came up clean.

SecurityCheck.txt msert.log

[AdvancedSetup]

Please update the following software

• ESET Security v.17.0.16.0 Warning! Download Update
• Microsoft 365 Apps for business - en-us v.16.0.17425.20146 Warning! Download Update | How Install Office updates?
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326 v.14.32.31326.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326 v.14.32.31326.0 Warning! Download Update
• Zoom v.5.17.10 (33775) Warning! Download Update

Then RESTART the computer and check for Windows Updates and install any found

Then let me know how the computer is running now and if there are still any signs of infection or not.

Thank you

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks