Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Malware suspicion

11K views 88 replies 3 participants last post by  Qwacu 
#1 ·
Hello,
when my laptop is done booting, this shows up on the screen," There is a problem starting winscomrssrv.dll, the specific module could not be found". My windows defender is not opening and am unable to update my windows also. Don't know what's wrong.

Tech Support Guy System Info Utility version 1.0.0.9
OS Version: Microsoft Windows 10 Home, 64 bit, Build 19041, Installed 20200624202752.000000+060
Processor: AMD A8-7410 APU with AMD Radeon R5 Graphics, AMD64 Family 22 Model 48 Stepping 1, CPU Count: 4
Total Physical RAM: 4 GB
Graphics Card: AMD Radeon(TM) R5 Graphics, 512 MB
Hard Drives: C: 129 GB (62 GB Free); D: 43 GB (32 GB Free); E: 292 GB (129 GB Free);
Motherboard: HP 8015, ver 11.27, s/n PFQLQ018J20BI3
System: American Megatrends Inc., ver HPQOEM - 1072009, s/n 5CD614433F
Antivirus: 360 Total Security, Updated: Yes, On-Demand Scanner: Enabled
 
#78 ·
Thanks for the update. Moving on.

1. Run FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
FirewallRules: [{632B2A48-52B7-4FDE-92D3-838CEB3BA5AA}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
FirewallRules: [{A0F8964A-8CC6-4694-8ADF-5B6C36222B3D}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
C:\Users\Emmanuel\AppData\Roaming\360DesktopLite
C:\Windows\Tasks\360DisabledC:\Users\Emmanuel\AppData\Roaming\360DrvMgrC:\$360Section
C:\Program Files (x86)\360
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.

2. Run Eset Online Scanner

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

3. How is the computer now? Please report any remaining issues.

In your next reply please post:

1. The fixlog.txt
2. The Eset report
3. Your comments about any remaining issues
 
#79 ·
Fix result of Farbar Recovery Scan Tool (x64) Version: 12-08-2020
Ran by Emmanuel (14-08-2020 00:45:15) Run:4
Running from C:\Users\Emmanuel\Desktop
Loaded Profiles: Emmanuel
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
FirewallRules: [{632B2A48-52B7-4FDE-92D3-838CEB3BA5AA}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
FirewallRules: [{A0F8964A-8CC6-4694-8ADF-5B6C36222B3D}] => (Allow) C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe => No File
C:\Users\Emmanuel\AppData\Roaming\360DesktopLite
C:\Windows\Tasks\360DisabledC:\Users\Emmanuel\AppData\Roaming\360DrvMgrC:\$360Section
C:\Program Files (x86)\360
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{632B2A48-52B7-4FDE-92D3-838CEB3BA5AA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A0F8964A-8CC6-4694-8ADF-5B6C36222B3D}" => removed successfully
C:\Users\Emmanuel\AppData\Roaming\360DesktopLite => moved successfully
"C:\Windows\Tasks\360DisabledC:\Users\Emmanuel\AppData\Roaming\360DrvMgrC:\$360Section" => not found
C:\Program Files (x86)\360 => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 9199616 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 69705763 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 21697402 B
Edge => 0 B
Chrome => 0 B
Firefox => 0 B
Opera => 364869453 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 44318 B
NetworkService => 192372 B
Emmanuel => 135215705 B

RecycleBin => 0 B
EmptyTemp: => 573.1 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 00:50:18 ====
 
#81 ·
14/08/2020 08:40:13
Files scanned: 318135
Detected files: 1
Cleaned files: 1
Total scan time 07:15:48
Scan status: Finished


E:\Software\driver_booster_setup.exe a variant of Win32/IObit.AP potentially unwanted application,a variant of Win32/IObit.AU potentially unwanted application,a variant of Win32/IObit.AQ potentially unwanted application,a variant of Win32/IObit.AS potentially unwanted application cleaned by deleting
 
#83 ·
Hi, Qwacu.

Everything looks fine now.

Something we did during the cleaning process was to uninstall the on-demand scanner you were using (360 Total Security). Although it is your decision what to do with your computer, I wouldn't recommend you to re-install it. As you have already noticed, it was not playing well with Windows Defender which is your antivirus program. If you want to have an on-demanding program, I would recommend you to instal an anti-malware program, which can be used once a week or whenever you want, depending on the computer's usage. A good anti-malware which doesn't create issues with Windows Defender is Malwarebytes. If you go with the free version, it can be used as an on-demand anti-malware. The paid version offers real time protection, in case you want to buy it one day.

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.

================================================================

Now your computer is clean, here are some final tips about your computer's security from now on:

Some of the following, are from Klein's (2005) article, So how did I get infected in the first place. Since then, the article has been reproduced or linked to in dozens of locations. As a result, many malware experts have continued updating it, to include current operating systems and software program information. My source is Security Garden, and I marked for you the following:

1. Keep your Windows updated!
It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

2. Update 3rd Party Software Programs
Third Party software programs have long been targets for malware creators. It has been stated that "Adobe's Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware.'' It's important to keep everything updated.

3. Update the browsers you use
Many malware infections install themselves by exploiting security holes in the Internet browser that you use. So... Keep them updated.

4. Be careful about what you download and what you open!
  • Many "freeware" programs come with an enormous amount of bundled spyware that will slow down your system, spawn pop-up advertisements, or just plain crash your browser or even Windows itself. Watch for pre-checked options such as toolbars that are not essential to the operation of the installed software.
  • Peer-to-peer (P2P) programs like Kazaa, BearShare, Imesh, Warez P2P, and others, allow the creation of a network enabling people to connect with other users and upload or download material in a fast efficient manner. BUT even if the P2P software you are using is "clean", a large percentage of the files served on the P2P network are likely to be infected.
  • Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Have this in mind. ;)
  • Do not open any files without being certain of what they are!
5. Avoid questionable web sites!
Visit web sites that are trustworthy and reputable. Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites, free software sites (especially ones that target young children), cracked software sites, and pornography sites are some of the worst offenders. Also, never give out personal information of any sort online or click "OK" to a pop-up unless it is signed by a reputable company and you know what it is.

6. PC means personal computer!
Don't give access to your computer to friends or family who appear to be clueless about what they are doing.

7. Back-up your work!
Make back-ups of your personal files frequently. You never know when you'll have to reformat and start from scratch. You can always reformat and reinstall programs, but you cannot replace your data if you haven't made backups.

8. Must-Have Software
An anti-virus and an anti-malware program is a necessity for the security of your computer. Be sure that you keep them updated, and that real time protection is enabled.

If you have any questions or concerns please don't hesitate to ask!

I'm glad I was able to help you.
:)
 
#87 ·
# Run at 15/08/2020 08:38:11
# KpRm (Kernel-panik) version 2.8
# Website https://kernel-panik.me/tool/kprm/
# Run by Emmanuel from C:\Users\Emmanuel\Desktop
# Computer Name: DESKTOP-E8KFRRS
# OS: Windows 10 X64 (19041)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\Windows\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\Emmanuel\NTUSER.dat backed up

[OK] Registry Backup: C:\KPRM\backup\2020-08-15-08-38-06

- Delete Tools -

## Autoruns
[OK] C:\Users\Emmanuel\Desktop\autoruns.exe deleted

## ESET Online Scanner
[OK] C:\Users\Emmanuel\Desktop\ESET Online Scanner.lnk deleted
[OK] C:\Users\Emmanuel\Desktop\esetonlinescanner.exe deleted
[OK] C:\Users\Emmanuel\AppData\Local\ESET\ESETOnlineScanner deleted

## FRST
[OK] C:\Users\Emmanuel\Desktop\Addition.txt deleted
[OK] C:\Users\Emmanuel\Desktop\Fixlog.txt deleted
[OK] C:\Users\Emmanuel\Desktop\FRST-OlderVersion deleted
[OK] C:\Users\Emmanuel\Desktop\FRST.txt deleted
[OK] C:\Users\Emmanuel\Desktop\FRST64.exe deleted
[OK] C:\Users\Emmanuel\Downloads\Addition.txt deleted
[OK] C:\Users\Emmanuel\Downloads\FRST.txt deleted
[OK] C:\FRST deleted

## FSS
[OK] C:\Users\Emmanuel\Desktop\FSS.exe deleted
[OK] C:\Users\Emmanuel\Desktop\FSS.txt deleted

- Restore System Settings -

[OK] Reset WinSock
[OK] FLUSHDNS
[OK] Hide Hidden file.
[OK] Show Extensions for known file types
[OK] Hide protected operating system files

- Restore UAC -

[OK] Set EnableLUA with default (1) value
[OK] Set ConsentPromptBehaviorAdmin with default (5) value
[OK] Set ConsentPromptBehaviorUser with default (3) value
[OK] Set EnableInstallerDetection with default (0) value
[OK] Set EnableSecureUIAPaths with default (1) value
[OK] Set EnableUIADesktopToggle with default (0) value
[OK] Set EnableVirtualization with default (1) value
[OK] Set FilterAdministratorToken with default (0) value
[OK] Set PromptOnSecureDesktop with default (1) value
[OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

~ [OK] RP named Scheduled Checkpoint created at 08/05/2020 20:56:28 deleted
~ [OK] RP named Removed paint.net created at 08/09/2020 16:48:33 deleted
~ [OK] RP named Windows Modules Installer created at 08/12/2020 03:41:58 deleted
~ [OK] RP named Windows Modules Installer created at 08/12/2020 04:19:58 deleted
~ [OK] RP named Windows Modules Installer created at 08/12/2020 04:37:10 deleted
[OK] All system restore points have been successfully deleted

- Create Restore Point -

[OK] System Restore Point created

- Display System Restore Point -

~ RP named KpRm created at 08/15/2020 07:44:15

-- KPRM finished in 457.68s --
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top