I need help making sure my PC is secure and safe

[Zurinto]

Hi,

about 2-3 months ago I accidentally ran an exe file that I think may have been a virus, it didn't pop up any window neither did it seem to do anything. The moment I realized something is up I killed the task with task manager and then removed the file entirely. Next I scanned my PC using both the malwarebytes and windows defender, nothing came up. About a month later I had someone hijack my browser session(I think) on steam, there was no login to my account and I do have 2FA, but there was a computer from russia that accessed my account somehow via web browser. Once again I ran a scan on malware bytes and windows defender, additionaly I ran a microsoft program that scans and checks all the system files for corruption, I forgot the name of it. It took a solid 4 hours to do and also found nothing. Lastly a few days ago I had someone access my twitch account while I was using it, I did not get any kind of notification that someone logged in or anything at all, so again I'm suspecting session hijacking. I once again scanned using malwarebytes and again found nothing. I went ahead and used my free trial of the premium version and today I got a notification that it blocked an outbound connection from scvhost.

Here is the log of the scvhost detection. 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/24/2024
Protection Event Time: 1:48 PM
Log File: 967f83f6-49b2-11ef-a115-1831bfdd0aeb.json

-Software Information-
Version: 5.1.6.117
Components Version: 1.0.1280
Update Package Version: 1.0.87120
License: Trial

-System Information-
OS: Windows 10 (Build 19045.4651)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: 91.206.244.10
Port: 51032
Type: Outbound
File: C:\Windows\System32\svchost.exe

(end)

https://forums.malwarebytes.com/topic/286933-svchostexe-outbound-connections-being-flagged-what-is-it/

I have found this post that had the same kind of popup as me, I have followed as many steps as I could, here are all the logs from the programs the user was asked to run. 

Since there isn't much in the logs and scans come clean, are the 2 incidents of what could have been session hijacking connected in any way to this scvhost detection or is it just coincidence?

 

SecurityCheck.txt AdwCleaner[S00].txt Addition.txt FRST.txt

Edited July 24 by AdvancedSetup
Corrected font issue

[1PW]

Hello @Zurinto and :

Thank you for the attachment(s) you have already posted. However, please carefully follow the procedures below in the order given for the best data. Please do not forget Malwarebytes AdwCleaner in its proper order.

Although I will not be your malware removal helper, please carefully follow the steps in the order given:

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process.

Then, follow each step in the order provided. Unless otherwise asked, please attach all log files.

Please make the following system changes:  Please pay close attention to the instructions in all the following links.

1. If you have not done so already, Enable System Protection and create a NEW System Restore Point.
2. Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads. Make sure to turn it back on once the scans are completed.
3. Temporarily disable the overly sensitive Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed.
4. Disable-Fast-Startup. <<<<< Important.
5. Show-Hidden-Folders-Files-Extensions.

Please run the following scans:  Please Take your time and pay close attention to the instructions in all the following links.

1. Select the following link and run a Scan with Malwarebytes AdwCleaner with only the eight (8) requested options selected.  Report files: AdwCleaner[S00].txt and AdwCleaner[C00].txt   Please run the scan only once, correctly, to capture any and all error data. Alternate Download Source.
2. Select the following link and run a DEFAULT Scan with Malwarebytes 5 for Windows®. Report file: Malwarebytes Scan Report YYYY-MM-DD HHMMSS.txt
3. >>>> Restart the computer <<<<
4. Select the following link, and then rename FRST.exe or FRST64.exe to FRSTEnglish.exe and run a Scan with Farbar Recovery Scan Tool. Report files: FRST.txt and Addition.txt

Example image of where to click to attach the five (5) files when posting your reply to your topic:

The sooner you attach/send the five (5) log files, the sooner one of the Experts will weigh-in on your topic.

Thank you.

[Zurinto]

I have done all the scans in the order specified following all the steps. Here are the fresh logs. 

The 2nd scan with ADWCleaner found nothing so there is no C01 file, that's why I uploaded the C00 once again.

 

AdwCleaner[S01].txt AdwCleaner[C00].txt Malwarebytes Scan Report 2024-07-24 152138.txt FRST.txt Addition.txt

[AdvancedSetup]

Thank you for the logs @Zurinto

 

 

Please run the following fix

Make sure you temporarily disable the real-time protection from Kaspersky antivirus or the fix will not run correctly

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\zurin\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

 

 

 

Once the fix has been completed and the computer has restarted, please do the following

 

Please Uninstall, Update, or otherwise address the following as appropriate for your computer

 

• 7-Zip 19.00 (x64) v.19.00 Warning! Download Update | Uninstall old version and install new one.
• Audacity 3.2.1 v.3.2.1 Warning! Download Update
• Combined Community Codec Pack 64bit 2015-10-18 v.2015.10.19.0 Warning! This software is no longer supported.
• Discord v.1.0.9002 Warning! Download Update
• GIMP 2.10.34-2 v.2.10.34 Warning! Download Update
• Git v.2.40.0 Warning! Download Update
• Java 8 Update 311 (64-bit) v.8.0.3110.11 Warning! Download Update | Uninstall old version and install new one (jre-8u421-windows-x64.exe).
• Kaspersky Free v.21.2.16.590 Warning! Download Update
• LibreOffice 7.0.2.2 v.7.0.2.2 Warning! Download Update
• Microsoft Teams v.1.6.00.4472 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 v.14.38.33135.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
• Microsoft Visual Studio Code (User) v.1.89.1 Warning! Download Update
• Node.js v.18.16.0 Warning! Download Update
• NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112 Warning! Download Update
• Oracle VM VirtualBox 6.1.16 v.6.1.16 Warning! Download Update

Then RESTART the computer and check for Windows Updates and install any found

 

Then let me know if there are still any signs of infection or any other unresolved issues

 

 

 

 

 

 

 

[Zurinto]

So regarding kaspersky, I have stopped using it before and attempted to uninstall it in the past, it removed the majority of it's files, but whenever I try to get rid of it, it says that the program is updating and and the uninstallation process get's canceled. Whenever I check the task manager for any processes that belong to kaspersky I find none. I tried uninstalling using both the windows uninstaller and Revo uninistaller, the end result is always the same. How can I get rid of it fully?

[Zurinto]

6 minutes ago, Zurinto said:

So regarding kaspersky, I have stopped using it before and attempted to uninstall it in the past, it removed the majority of it's files, but whenever I try to get rid of it, it says that the program is updating and and the uninstallation process get's canceled. Whenever I check the task manager for any processes that belong to kaspersky I find none. I tried uninstalling using both the windows uninstaller and Revo uninistaller, the end result is always the same. How can I get rid of it fully?

Void that, I was able to get rid of it with the revo uninstaller, using the advanced scan option of left over files and registry. After a quick computer reset it's all gone. I will proceed with the fixlist now.

[AdvancedSetup]

Actually you should use the tool from Kaspersky

https://media.kaspersky.com/utilities/ConsumerUtilities/kavremvr.exe

 

[Zurinto]

I just got done with the FRST Fixlist, here is the fixlog.

Just now, AdvancedSetup said:

Actually you should use the tool from Kaspersky

https://media.kaspersky.com/utilities/ConsumerUtilities/kavremvr.exe

 

I guess that would have been useful but Revo uninstaller does a great job, I am certain that now there is nothing left of Kaspersky.

Fixlog.txt

[AdvancedSetup]

Actually Revo fails often when trying to remove security software. I know it can and does sometimes cause problems even when used on our software.

Let me check your log

 

[AdvancedSetup]

Overall the log ran well. It also found and fixed some other Windows issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Please RESTART the computer and let me know if Malwarebytes is still blocking a threat

 

Get the other program updates and Windows updates completed as well

 

 

 

 

 

 

[Zurinto]

So basically I should be fine? There is no malware or spyware or anything of that sort? Do you know if the suspected session hijacks I had happen were caused by something on my pc? I would really like some kind of definitive answer, as much as that is possible.

[AdvancedSetup]

That is what we are trying to determine. There is no single run this and you're good to go. Anyone that tells you that is lying to you.

It is a process to go through. If you don't want to take the time to go through this process that is your choice we can stop here, just let me know.

Thank you again

 

[Zurinto]

I definitely want to take the time and make sure all is safe and sound. I was just wondering if you were able to tell from what we did so far if there was potential malware. I will let you know if malwarebytes catches any other connections. I've still got 12 days on my trial, if by then nothing appears I guess it will be fine, we shall see then. 

Thank you a lot for your time and help today

[AdvancedSetup]

We're not done. I'm waiting for you to update and let me know if anymore blocks or not. Then we can do a couple more checks.

 

Please Uninstall, Update, or otherwise address the following as appropriate for your computer

 

• 7-Zip 19.00 (x64) v.19.00 Warning! Download Update | Uninstall old version and install new one.
• Audacity 3.2.1 v.3.2.1 Warning! Download Update
• Combined Community Codec Pack 64bit 2015-10-18 v.2015.10.19.0 Warning! This software is no longer supported.
• Discord v.1.0.9002 Warning! Download Update
• GIMP 2.10.34-2 v.2.10.34 Warning! Download Update
• Git v.2.40.0 Warning! Download Update
• Java 8 Update 311 (64-bit) v.8.0.3110.11 Warning! Download Update | Uninstall old version and install new one (jre-8u421-windows-x64.exe).
• Kaspersky Free v.21.2.16.590 Warning! Download Update
• LibreOffice 7.0.2.2 v.7.0.2.2 Warning! Download Update
• Microsoft Teams v.1.6.00.4472 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135 v.14.38.33135.0 Warning! Download Update
• Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 v.14.36.32532.0 Warning! Download Update
• Microsoft Visual Studio Code (User) v.1.89.1 Warning! Download Update
• Node.js v.18.16.0 Warning! Download Update
• NVIDIA GeForce Experience 3.27.0.112 v.3.27.0.112 Warning! Download Update
• Oracle VM VirtualBox 6.1.16 v.6.1.16 Warning! Download Update

Then RESTART the computer and check for Windows Updates and install any found

 

[AdvancedSetup]

If everything above has been completed, then please RESTART the computer one more time and get me new fresh logs

 

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

 

Create an Autoruns Log:

• Please download Sysinternals Autoruns from here:   https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
• Save Autoruns.zip to your computer. Then locate it and extract it to a new folder where you can find and run it.
• Once it starts you may not be able to easily stop the scan but you can try to press the Escape key on your keyboard.
• Once scanning is stopped, click on the Options menu at the top of the program and select Scan Options... 
• Then place a check mark on the following items Verify Code Signatures, Check VirusTotal.com, and Submit Unknown Images
• Then click the Rescan button. Agree to the VirusTotal EULA
• NOTE: You must allow AutoRuns to run for at least 20 minutes to complete the VirusTotal scan. If you attempt to save the file sooner it will not be complete
• Once the new scan has been completed, please click on the File button at the top of the program and select Save, or use the Save icon, and save the Autoruns.arn file to your desktop and close Autoruns.
• Right-click on the Autoruns.arn file (it will typically be the name of your computer) on your desktop or where you save it, and hover your mouse over Send To and select Compressed (zipped) Folder
• Attach the Autoruns.zip folder (your computer name.zip) you just created to your next reply.

 

 

 

 

 

Next,

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply

 

Thank you

 

[Zurinto]

Oh sorry, I did not think there is still so much to do. I have solved the issues with software, one issue I had was with installing a windows security update.

https://learn.microsoft.com/en-us/answers/questions/1552756/how-to-fix-the-problem-of-update-windows-10-(-down

I tried the fixes from this post, but it still did not work, maybe it will work a bit later.

I have all the fresh logs.

SecurityCheck.txt FSS.txt FRST.txt Addition.txt ZURIS-BEAST.zip mbst-grab-results.zip

[AdvancedSetup]

[ 1 ]

Please update Google Chrome

Google Chrome v.126.0.6478.183 Warning! Download Update

 

[ 2 ]

Then clean Google Chrome up

 

Please follow the directions from the following topic for a more extensive article on cleaning Google Chrome

Resetting Google Chrome to clear unexpected issues
 

[ 3 ]

Did you run the Kaspersky Removal Tool?  The logs indicate there are still entries from Kaspersky still enabled on the system.

 

[ 4 ]

It looks like we may have removed a valid driver for VBVoicemeeterVAIOMME

If you're having any issues with it and still want to use it you may need to reinstall it.

https://vb-audio.com/Voicemeeter/

 

 

You have some Restrictions on Windows Defender that should not be there. We may need to run another Fix script possibly from Safe Mode

 

[Zurinto]

Chrome is now up to date.

I don't think clearing chrome is necessary, I keep an eye on the extensions and keep myself safe on the web not clicking any shady links, I also do not want to lose my passwords or important data while doing so. If you do think it's really necessary then I will give it a go.

I did run the kaspersky removal tool, I can do so again and provide the logs from it. 

I am getting support from the VB team to solve the driver issue. 

What kind of restrictions are those?

[AdvancedSetup]

You don't have to clear Chrome if you don't wish to. However, that indicates you're not ready for catastrophe.

I would recommend you ensure you have things that matter to you such as History, Bookmarks, Passwords backed up to some type of medium or program outside of Google Chrome in case there ever is an attack or hardware failure.

Saving passwords in any browser is not recommended. There are attacks that have been known to compromise accounts from browsers. Please use a dedicated password manager such as 1Password, Bitwarden, Keepass, etc.

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

Restart the computer again and get me a fresh set of Farbar scans logs FRST and Addition and I'll write a new fixlist to clean up Kaspersky and remove any restrictions in place.

 

[Zurinto]

Changed the setting and restarted, here are the new logs

Addition.txt FRST.txt

[AdvancedSetup]

[ 1 ]

This is an old out of date version of Java. Unless you're doing Java programming you really shouldn't eve need it. If you are doing Java programming then unless you're working on fixed code that is dependent on it, I would highly recommend you uninstall it and install the latest version

Java(TM) SE Development Kit 17.0.1 (64-bit)

 

[ 2 ]

Your DNS Servers: 192.168.1.1   

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 5 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

• Quad 9 Public DNS  IPv4  9.9.9.9 and 149.112.112.112  IPv6  2620:fe::fe  and  2620:fe::9  (one of the best for most users)
• Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
• Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
• OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
• DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 3 ]

You have a continued repeating fault from the following. Perhaps not malware related but I'd suggest looking into correcting the issue or possibly uninstalling it.

Error: (07/25/2024 12:13:14 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: RzChromaConnectServer, version: 1.0.0.42, time stamp: 0x667a7744
Faulting module name: ucrtbase.dll, version: 10.0.19041.3636, time stamp: 0x6763d3a2
Exception code: 0xc0000409
Fault offset: 0x0009eddb
Faulting process ID: 0x2de0
Faulting application start time: 0x01dade16ad80b06f
Faulting application path: C:\Program Files (x86)\Razer Chroma SDK\bin\RzChromaConnectServer
Faulting module path: C:\WINDOWS\System32\ucrtbase.dll
Report ID: 8b5cd864-2976-4e73-b686-82b0b53053df
Faulting package full name:
Faulting package-relative application ID:

 

https://mysupport.razer.com/app/answers/detail/a_id/1906

 

[ 4 ]

The act of torrenting itself is not illegal. However, downloading and sharing unsanctioned copyrighted material is illegal, and there is always a chance of prosecution if caught by the authorities.
Torrenting non-copyrighted material is perfectly fine and is allowed. However, be aware that we have seen increased malware bundled with software downloads over P2P.

Recent Ransomware infections have been seen to encrypt user data so that no one can decrypt the data without the private key.
When sharing files, please keep in mind that you're increasing your system's attack surface area, which can increase the risk of infection.

Scan all files before running them. https://www.virustotal.com

If you don't need or use the P2P software, you should uninstall it.

P2P File-Sharing: Know the Risks
https://www.bankinfosecurity.com/p2p-file-sharing-know-risks-a-737

 

Hidden risks in pirated software https://news.microsoft.com/apac/2019/01/08/hidden-risks-in-pirated-software/
Why You Shouldn't Use Pirated Software (But Why People Still Do) https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Games that use P2P

Malwarebytes can often block Steam and other games because Steam uses what is known as Peer-to-Peer (P2P) technology, meaning it connects to many different servers, workstations, and IP addresses.

Sometimes Torrent based software will connect to a server that is also known for hosting malicious content. This is because multiple sites often share servers, workstations, IP addresses.

So although what you are playing or downloading through Torrent-based software may be perfectly safe, some of the sites hosted on some of the IP addresses the Torrent-based software connects to may be malicious.
Such connections are typically not a threat, and you may exclude Torrent-based software from the Web Protection component in Malwarebytes to stop the block alerts.

Generally speaking, your web browser and other critical web-facing programs will still be fully protected from malicious websites and other malicious content.

To do so, add the game executable program file to your exclusions using the method described under the Exclude an Application that connects to the Internet section of Exclude detections in Malwarebytes for Windows

https://support.malwarebytes.com/hc/en-us/articles/22766550894867-Add-and-remove-items-from-the-Allow-list-in-Desktop-Security

NOTE: Some torrenting software binds to your network card, and it may not be possible to exclude from Malwarebytes.

 

[ 5 ]

Please see the following information about the KB5034441 Windows Update installation failure

 

Microsoft says KB5034440 and KB5034441 updates won't be offered to PCs that meet these conditions
https://www.ghacks.net/2024/07/11/microsoft-says-kb5034440-and-kb5034441-updates-wont-be-offered-to-pcs-that-meet-these-conditions/

KB5034441: Windows Recovery Environment update for Windows 10, version 21H2 and 22H2: January 9, 2024
https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8

 IMPORTANT This update is not needed and will not be offered if your Windows Recovery Environment (WinRE) meets any of the following conditions:

    If the WinRE recovery partition does not have sufficient free space.

    If the WinRE recovery partition was manually updated by using the procedure in Add an update package to Windows RE and is already up to date.

    If the WinRE image has a version greater than or equal to version 10.0.19041.3920. To determine the version of your WinRE image, check the WinREVersion registry value at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion.

    If your running PC does not have a WinRE recovery partition. To verify if you have WinRE enabled, run the following command in an elevated command prompt: reagentc /info. If WinRE is enabled, you will see Windows RE status in the output with a value of Enabled. In this scenario, this update might be needed.

 

Older information

Microsoft won't fix Windows 0x80070643 errors, manual fix required
May 2, 2024
https://www.bleepingcomputer.com/news/microsoft/microsoft-wont-fix-windows-0x80070643-errors-manual-fix-required/

KB5028997: Instructions to manually resize your partition to install the WinRE update
https://support.microsoft.com/en-us/topic/kb5028997-instructions-to-manually-resize-your-partition-to-install-the-winre-update-400faa27-9343-461c-ada9-24c8229763bf

Extend the Windows RE Partition using PowerShell (Microsoft)
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/add-update-to-winre?view=windows-11#extend-the-windows-re-partition

Microsoft shares script to update Windows 10 WinRE with BitLocker fixes
January 11, 2024
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-script-to-update-windows-10-winre-with-bitlocker-fixes/

 

[ 6 ]

This alert was logged a couple of times. Perhaps from cleaning and updating it caused the issue. We can probably ignore it but wanted you to be aware of it.

Date: 2024-07-24 19:09:19
Description:
Program antywirusowy Microsoft Defender has encountered an error trying to update security intelligence and will attempt to revert to a previous version.
Security intelligence Attempted: Bieżące
Error Code: 0x80501102
Error description: Wystąpił nieoczekiwany problem. Zainstaluj dostępne aktualizacje, a następnie spróbuj ponownie uruchomić program. Aby uzyskać informacje na temat instalowania aktualizacji, zobacz Pomoc i obsługę techniczną.
Security intelligence Version: 1.415.205.0;1.415.205.0
Engine Version: 1.1.24060.5

 

[ 7 ]

Please run the following Farbar FIX

 

The Farbar (FRST) program is located here in your downloads folder:  C:\Users\zurin\Downloads\FRSTEnglish.exe 

Please follow the process below to perform a fix in Safe Mode

 

Start in Safe mode:

• Press the Windows icon on the keyboard together with the letter I, to get into the Settings.
• Choose Update and Security.
• From the menu at the left, choose Recovery.
• Under the title Advanced startup at the right, choose Restart now.
• From the window that will appear choose Troubleshoot and then Advanced options.
• Choose Startup Settings and then Restart.
• Press number 5, for choosing Safe mode with networking.
• You will know that you are in Safe mode, if the background is black and Safe mode is written at the four corners of the screen.

After that:

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

 

Start::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Restriction
GroupPolicy: Restriction
AV: Kaspersky Free (Enabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
AV: Kaspersky Free (Enabled - Up to date) {0AB30972-4BAC-7BEE-CBCA-B8F9E68797D8}
AS: Kaspersky Free (Enabled - Up to date) {B1D2E896-6D96-7460-F17A-838B9D00DD65}
S1 klgse; C:\WINDOWS\System32\DRIVERS\klgse.sys [657696 2021-03-15] (Kaspersky Lab JSC -> AO Kaspersky Lab)
C:\ProgramData\Kaspersky Lab
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
C:\Users\zurin\AppData\Local\Temp\*
End::

 

• Right-click on FRSTEnglish in your Downloads folder, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt in your Downloads folder or where you have the Farbar program located.
• Attach that log in your next reply.

 

NOTE: You can also save the above FIX script portion as a FIXLIST.TXT file into this folder:  C:\Users\zurin\Downloads\    to run the FIX

 

 

[ 8 ]

Restart the computer back into Normal Mode and run the following ESET AV scan

 

 

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get started. 
• When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
• On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
• When prompted for scan type, Click on the Full Scan button
• Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
• Have patience.  The entire process may take a few hours or more.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log and give it a name and location you remember.
• If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
• Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

Thank you

 

 

[Zurinto]

I got rid of the java development kit, I set up my DNS's, I was able to fix the windows update by expanding the partition, I did the fixlist in safe mode and lastly I finished the ESET scan, it was a long one. Here are the requested logs. 

The detection in ESET is nothing to worry about, so it basically came clean. 

Fixlog.txt ESET log.txt

[AdvancedSetup]

Thank you for the logs. Looks good overall. @Zurinto

Restore the file:  C:\Program Files (x86)\Steam\steamapps\common\The Long Drive\OnlineFix64.dll

Then upload it to https://virustotal.com and have them scan it and post back the URL link when done, please.

 

Please RESTART the computer one more time and post back NEW fresh logs. We look to probably be very close to finish now.

 

Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/

Scan with Malwarebytes
https://forums.malwarebytes.com/topic/304827-scan-with-malwarebytes/

Scan with AdwCleaner
https://forums.malwarebytes.com/topic/304822-scan-with-adwcleaner/

 

 

 

 

[Zurinto]

I got rid of the Online fix, it was for a game I didn't touch in a long time so I also removed it. Here come all the fresh logs!

SecurityCheck.txt FSS.txt FRST.txt Addition.txt Malwarebytes Scan Report 2024-07-26 103557.txt AdwCleaner[S02].txt

[AdvancedSetup]

Great, the logs look very good today.

There was some type of issue with a Google Update. You might want to download the latest Google installer and reinstall just to ensure it has all it's files and settings how they're supposed to be.

The computer no longer shows any signs of an infection at this time. Make sure you use a good password manager such as 1Password, Bitwarden, Keepass, etc. and set a strong password of at least 16 characters and also enable Two Factor Authentication for all sites that allow it.
Never use the same password on other sites. Go change all your online passwords to ensure no one has any of your old account passwords.

 

 

 

 

Excellent, glad to hear all is well again. I'll go ahead and close your topic now and wish you well.

Please follow the directions below to remove the logs and tools we've used. If any are still left after that you can manually uninstall or delete them.

Take care and stay safe out there. Try to follow as much of the advise below as you can as well.

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt. You can close it.

 

We're glad that we were able to assist you.

 

The following information will help you to keep your computer and data safer as well as improve your overall privacy

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/780233/best-password-manager/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download     https://patchmypc.com/about-us
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Cybersecurity basics & protection
Everything you need to know about cybercrime
https://www.malwarebytes.com/cybersecurity

 

Further reading if you'd like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes. Please tell your friends and family if they too need assistance with malware removal