Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice

getting virus infected your machine this morning - help :)

535 views 56 replies 2 participants last post by  Dano2  
#1 · (Edited)
****Sorry folks I didn't read the "read this first". I downloaded Farbar and will attach files" very sorry..

Hi all,
I have a Lenovo Laptop with Win11. This morning for the first time ever the screen froze as soon as I connected to
wifi and said Ive been infected dont turn off your machine, call a Microsoft number, which of course I did not.

Im disconnected from wifi now and am in Safe Mode and on Windows Security screen which is just all white.

So now I am stuck. Any help would be sooo greatly appreciated.. luckily I am on my wifes computer right now.

Regards. Dano
 
#3 ·
Hi, Dano!

I will be assisting you regarding your computer's issues.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Having such programs installed, is the easiest way to get infected. Thus, no need to clean the computer, since, soon or later, it will get infected again. If you have such programs, please uninstall them now, before we start the cleaning procedure.

4. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

5. If you are having problems with a business machine, please consult your IT Department or System Administrator. We do not fix business/work computers.

6. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

7. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.

P.S. My time zone is UTC +2. If there is a time difference, do not worry, be happy. We will deal.
Image


========================================================

I'll need a considerable amount of time to review your logs and come back to you. This will most probably be tomorrow morning, my time.
 
#5 ·
Hello and thanks so much for your help with my machine. Its back in normal mode now, I had read somewhere to put it in Safe Mode to be able to run Defender virus scan. Its now in Normal.

Silly question; what and where is the FRST tool and do I download it? oh and I have the laptop disconnected from the wifi since I saw the virus.
 
#6 ·
The FRST tool is the tool you already ran to attach the two logs. It is located here:
Running from D:\dans computer virus\FRST64.exe

I would like you to move it directly on to your Desktop.

After that:

Connect to the internet and run FRST tool. Attach the fresh logs for me to check.
 
#9 ·
thank you so much! I wanted to mention I found a strange .exe program called Wave Browser that I thought seemed strange in my downloads folder. No idea
where that came from.
Ill check back in first thing in the am, thanks again for all the help...
 
#10 ·
Good morning to you, Dano!

I am ready!

1. Java

There are very few reasons these days to continue having Java installed on your computer. However, if you do elect to keep Java, it needs to be updated to the latest version which you can find here: Java SE Runtime Environment 8 - Downloads. For now: Just uninstall Java and DO NOT install it, until I will tell you.


2. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-2146249267-428957446-2346509031-1001_Classes\CLSID\{113b8d53-e3e1-b7a2-c90a-176c40f3f722}\localserver32 -> "C:\ProgramData\Lenovo\Udc\Hosts\x64\MessagingPlugin.exe" -ToastActivated => No File
CustomCLSID: HKU\S-1-5-21-2146249267-428957446-2346509031-1001_Classes\CLSID\{51694bf6-7178-71ba-ba8c-cd64aadfc7f1}\localserver32 -> "C:\ProgramData\Lenovo\Udc\Hosts\24.10.0.10\x64\MessagingPlugin.exe" -ToastActivated => No File
SearchScopes: HKU\S-1-5-21-2146249267-428957446-2346509031-1001 -> DefaultScope {25EA5F43-9A22-4971-8099-B516D03EF30A} URL = 
SearchScopes: HKU\S-1-5-21-2146249267-428957446-2346509031-1001 -> {25EA5F43-9A22-4971-8099-B516D03EF30A} URL = 
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
FirewallRules: [UDP Query User{E221BF0C-BB02-49A1-A5DE-DDE0E3FB90E4}C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe] => (Block) C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe => No File
FirewallRules: [TCP Query User{A48C1269-B464-4DD3-9997-FBF933283B07}C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe] => (Block) C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe => No File
FirewallRules: [UDP Query User{B6513CA3-6863-4741-A2F7-0CC12F52B3E3}C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe] => (Block) C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe => No File
FirewallRules: [TCP Query User{014A78A6-FB10-443D-AF50-FB12008A281C}C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe] => (Block) C:\users\14254\wavesor software\wavebrowser\wavebrowser.exe => No File
FirewallRules: [{2FDAF99D-13D8-4916-94C9-D85F005A69B1}] => (Allow) D:\Network\EpsonNetSetup\ENEasyApp.exe => No File
FirewallRules: [{BE25C673-D52A-4CAE-94D2-2E5977D5DB0E}] => (Allow) D:\Network\EpsonNetSetup\ENEasyApp.exe => No File
FirewallRules: [UDP Query User{57AE851E-4ACA-45CA-B030-C4234FB0C3C9}C:\program files\nodejs\node.exe] => (Block) C:\program files\nodejs\node.exe => No File
FirewallRules: [TCP Query User{4392BD7E-2A77-4166-98B9-4EB108DECBC0}C:\program files\nodejs\node.exe] => (Block) C:\program files\nodejs\node.exe => No File
FirewallRules: [{1A95D628-2D2D-4B88-9372-6E0D7C33B767}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\Lync.exe => No File
FirewallRules: [{68C74ABB-0DAA-4AFF-BFFF-3DC60A0E881B}] => (Allow) C:\Program Files (x86)\Microsoft Office\root\Office16\UcMapi.exe => No File
FirewallRules: [{907D7F72-6745-403C-B0EE-99962B437D20}] => (Allow) D:\Network\EpsonNetSetup\ENEasyApp.exe => No File
FirewallRules: [{BC27B963-E852-446A-B155-5B5F01B771AA}] => (Allow) D:\Network\EpsonNetSetup\ENEasyApp.exe => No File
HKLM\Software\...\Authentication\Credential Providers: [{C885AA15-1764-4293-B82A-0586ADD46B35}] -> 
Task: {F8B63F14-164A-4A90-AB54-C002F913A87E} - System32\Tasks\Lenovo\Vantage\Schedule\NotificationCenter => C:\Program Files (x86)\Lenovo\VantageService\3.13.72.0\ScheduleEventAction.exe  NotificationCenter (No File)
Task: {50F8F553-439B-4EC9-B45B-7E4191FCD908} - System32\Tasks\Lenovo\Vantage\Schedule\VantageCoreAddinIdleScheduleTask => C:\ProgramData\Lenovo\Vantage\Addins\VantageCoreAddin\1.0.0.215\x64\IdleScheduleEventAction.exe  (No File)
Task: {48E9AD04-5FE9-434C-9A85-24C87543E845} - System32\Tasks\Lenovo\Vantage\Schedule\VantageTelemetryAddinTask => C:\Program Files (x86)\Lenovo\VantageService\3.6.15.0\ScheduleEventAction.exe  VantageTelemetryAddinTask (No File)
Task: {FD86A958-6378-4B37-94AA-D864C088F29B} - System32\Tasks\Lenovo\Vantage\StartupFixPlan => C:\Program Files (x86)\Lenovo\VantageService\4.2.24.0\\uninstall.exe  /repair (No File)
Task: {077BA067-7C15-40F0-B22E-C9DC2A54B4A2} - System32\Tasks\Microsoft\Windows\Location\Notifications => %windir%\System32\LocationNotificationWindows.exe  (No File)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => %SystemRoot%\System32\MbaeParserTask.exe  (No File)
Task: {D883B702-B223-4333-ADDA-59049B8B8DDA} - System32\Tasks\Microsoft\Windows\PI\SecureBootEncodeUEFI => %WINDIR%\system32\SecureBootEncodeUEFI.exe  (No File)
Task: {27CE9D59-9D48-4D29-99BC-64657AEBA494} - System32\Tasks\Microsoft\Windows\Security\Pwdless\IntelligentPwdlessTask => {8702A841-D5CA-47C3-812D-9CEDC304C200}
Task: {D6E63CDA-860D-45B4-9454-E5AF0BCA9B99} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval => %systemroot%\system32\MusNotification.exe  Display (No File)
Task: {AB2A264A-7571-4BBD-8CA6-62D4863D9426} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => %systemroot%\system32\MusNotification.exe  /RunOnAC EngagedRebootReminder (No File)
Task: {1E880313-AC5E-4731-9B80-A8CD310B14A6} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_Battery => %systemroot%\system32\MusNotification.exe  /RunOnBattery EngagedRebootReminder (No File)
Task: {F3E6E7ED-A196-4E44-8803-55FAB3AD4E29} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => %systemroot%\system32\MusNotification.exe  (No File)
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
RECOMMENDATION: Do not use the computer while running the fixlist. Have in mind that at some point there will be a restart of the system, so any unsaved work will be gone.


In your next reply, please post:
  1. If uninstalling Java ran smoothly
  2. The fixlog.txt
 
#18 ·
ok it finished but I only got this message : Fix completed. FIxlog.txt is saved in the same directory FRST is located.
The computer needs a restart. Pleaseclose all open windows. Note that you will not get any notification from the tool after restart. Click ok to restart
 
#20 ·
From my instructions above:

RECOMMENDATION: Do not use the computer while running the fixlist. Have in mind that at some point there will be a restart of the system, so any unsaved work will be gone.

Let the computer to restart and post the fixlog.txt.
 
#24 ·
The result is good.

To ensure that everything is clean:

1. Run Malwarebytes (scan only)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear in the menu at the left (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
  • Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
  • Return to the Dashboard and choose Scan.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.

    If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
    • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
    • Find the report with the most recent date and double click on it.
    • Click on Export and then Copy to Clipboard.
    • Paste its content here, in your next reply.


2. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click the Scan Now button.
  • Once the scan completes, AdwCleaner shows you all detected PUPs and adware. DO NOT check anything found, and click Next.
  • If any preinstalled software was detected on your device, a message notifies you that your action is requested. DO NOT check anything, and click Cancel to continue.
  • Click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.
Note: Click Skip Basic Repair if you are asked to.


In your next reply, please post:
  1. The Malwarebytes report
  2. The AdwCleaner[S0*].txt
 
#25 ·
Malwarebytes finished and showed 3 threats. But if I close the program and then open it again, it goes back to the threats detected screen and there isnt a Scanner button or Reports button (see attached screen shot). Or ... do I need to click next first? (sorry just want to make sure Im getting it right) :)

If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
 

Attachments

#26 ·
Yes, I instructed you not to select them at this stage, because I wanted to make sure they are not related with programs you need.

Anyway.

I saw the detected items in your screenshot. They are Wave-related.

Since everything must be removed,
  • Make sure that all threats are selected, and click on Quarantine/Remove selected.
  • You may need to restart the computer.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.

After that, move on to the AdwCleaner scan. And yes, I don't want you to select the detected items at this stage. :)