[SOLVED] Malware + CSI Payload corrupt

[DR M]

Soor,

The attachments are fine. Besides, I asked you to do that.

I would prefer not to use the computer yet.

 

[DR M]

Hi, Soor.

The logs look much better now.


1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CreateRestorePoint:
CloseProcesses:
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
MSCONFIG\Services: AdobeFlashPlayerUpdateSvc => 3
MSCONFIG\Services: SupportAssistAgent => 2
HKU\S-1-5-21-3830305220-1279632340-1782550212-1001\...\StartupApproved\Run: => "CCleaner Smart Cleaning"
FirewallRules: [TCP Query User{107623D2-075A-4FA4-B6ED-EA246BC65311}C:\users\vandana\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\vandana\appdata\roaming\utorrent\utorrent.exe => No File
FirewallRules: [UDP Query User{09D1DE1C-49A9-4C47-9265-55F849A1BC50}C:\users\vandana\appdata\roaming\utorrent\utorrent.exe] => (Allow) C:\users\vandana\appdata\roaming\utorrent\utorrent.exe => No File
FirewallRules: [TCP Query User{0AEDB9CE-E8EA-462F-9B33-0B7B9D1434B3}C:\users\vandana\appdata\roaming\utorrent\utorrent.exe] => (Block) C:\users\vandana\appdata\roaming\utorrent\utorrent.exe => No File
FF Extension: (Flash Player 2021) - C:\Users\vandana\AppData\Roaming\Mozilla\Firefox\Profiles\sx553c94.default-release\Extensions\{6cc0a66e-ae3d-4cd8-9a03-5cd93b392903}.xpi [2021-10-03]
FF Extension: (Flash Player   ) - C:\Users\vandana\AppData\Roaming\Mozilla\Firefox\Profiles\sx553c94.default-release\Extensions\{87e997f4-ae0e-42e6-a780-ff73977188c5}.xpi [2021-05-30]
R2 LTService; C:\Windows\LocalT.exe [7526072 2021-12-13] (HONGKONG LINGYUN NETWORK MDT INFOTECH LIMITED -> )
S2 Dell Customer Connect; "C:\Program Files (x86)\Dell Customer Connect\DCCService.exe" [X]
S2 DellDigitalDelivery; "C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe" [X]
S3 tesrsdt; C:\Windows\system32\drivers\tesrsdt.sys [802920 2020-06-24] (Tencent Technology(Shenzhen) Company Limited -> TENCENT)
S3 UniSafe; C:\Windows\system32\drivers\UniSafe.sys [572632 2021-03-28] (Tencent Technology(Shenzhen) Company Limited -> TENCENT)
2021-12-17 11:43 - 2021-12-13 16:01 - 007526072 _____ C:\Windows\LocalT.exe
2021-12-17 11:40 - 2021-12-20 22:27 - 000000000 ____D C:\Program Files (x86)\PowerControl
2021-12-17 11:40 - 2021-12-17 11:40 - 000003548 _____ C:\Windows\system32\Tasks\PowerControl HR
2021-12-17 11:40 - 2021-12-17 11:40 - 000003292 _____ C:\Windows\system32\Tasks\PowerControl LG
2021-12-17 11:08 - 2021-12-17 11:09 - 022464840 _____ C:\Users\vandana\Downloads\cool-android-assistant.exe
2021-12-17 08:15 - 2021-12-17 08:15 - 000000000 ____D C:\ProgramData\WsAppHelper
2021-12-16 13:51 - 2021-12-16 13:51 - 000980720 _____ C:\Users\vandana\Downloads\drfone_setup_full4008.exe
2021-12-15 22:14 - 2021-12-15 22:15 - 007790371 _____ C:\Users\vandana\Downloads\Bifrost_Android.apk
2021-12-15 22:10 - 2021-12-15 22:10 - 000000000 ____D C:\Users\vandana\Downloads\Bifrost_Windows
2021-12-15 22:02 - 2021-12-15 22:07 - 055228905 _____ C:\Users\vandana\Downloads\Bifrost_Windows.zip
2021-12-14 20:23 - 2021-12-14 20:23 - 000726552 _____ (Spotify Ltd) C:\Users\vandana\Downloads\SpotifySetup.exe
2021-12-07 13:29 - 2021-12-07 13:30 - 036492512 _____ (Piriform Software Ltd) C:\Users\vandana\Downloads\ccsetup587.exe
2021-12-23 00:39 - 2015-05-10 08:46 - 000000000 ____D C:\Users\vandana\AppData\Roaming\uTorrent
2021-12-17 13:49 - 2021-08-09 22:24 - 000000000 ____D C:\Users\vandana\AppData\LocalLow\uTorrent
2021-12-17 12:36 - 2019-05-27 13:24 - 000000000 ____D C:\Users\vandana\AppData\Local\BitTorrentHelper
2021-12-07 18:51 - 2018-07-02 20:05 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tencent Software
2021-12-07 11:43 - 2021-05-30 22:55 - 000000000 ____D C:\Users\vandana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WonderFox Soft
C:\Windows\system32\drivers\tesrsdt.sys
C:\Windows\system32\drivers\UniSafe.sys
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

2. Uninstall programs

Since you decided to remove the pre-installed software, you may consider to uninstall these now:

CyberLink Media Suite 8
CyberLink PowerBackup 2.5
Dell Backup and Recovery
Dell Product Registration
Dell Software Uninstall
Dell SupportAssist
Dell Update

Also, uninstall the outdated Macromedia Flash 4 and swMSM.


3. Fresh FRST logs

Yes... Once more please. We need to finish it.


In your next reply please post:

1. The fixlog.txt
2. What programs did you uninstall and if the process ran fine
3. Fresh FRST logs, Addition and FRST
4. Feedback: How is the computer running now? Any remaining question/issue/concern?

 

[Soor]

1. The fixlog.txt
2. What programs did you uninstall and if the process ran fine
3. Fresh FRST logs, Addition and FRST
4. Feedback: How is the computer running now? Any remaining question/issue/concern?

1. Attaching logs.

2. I have uninstalled Macromedia Flash 4 and swMSM, but I wish to keep the pre installed softwares. Is that ok?

3. Attaching logs.

4. The computer is running fine as of now.

Queries/Concern:

1. Is there any way to install MS Office Enterprise?
2. What about the CSI payload corruptions? Are they resolved?
3. Can I restore the pre installed softwares from AdwCleaner's quarantine?
4. What about the encrypted files?

And again, THANK YOU SO MUCH!

 

[DR M]

Some answers to your questions:

1. Preinstalled software

Although I don't recommend this, and I would go to uninstall everything (unless you know what each one it is and you use it), yes, you can restore the pre--installed software from AdwCleaner's Quarantine. Here it is a link about it (which I never used): https://support.malwarebytes.com/hc...dwCleaner-delete-or-restore-quarantined-items

Please, if you want to restore these programs, do not do that now. Wait for the cleaning procedure to complete first.


2. Microsoft Office

As I already explained, the Enterprise edition is for big companies and not for individuals. You had a pirated license for Office (as well as for other programs) and this is one of the reasons you got infected. If you want to have Microsoft Office (Home or Pro), you have to buy it from Microsoft's page. Have in mind that some sellers sell this kind of licenses to ordinary users. They claim that they sell in a low price, but this type of licenses may cause issues at a later stage. If you don't buy from Microsoft directly, make sure that the license you are getting is Retail.

In case you just want an Office Suite, no matter it is Microsoft's, you can try some free alternatives:

Home | LibreOffice - Free Office Suite - Based on OpenOffice - Compatible with Microsoft
www.freeoffice.com - Download
Apache OpenOffice - Official Site - The Free and Open Productivity Suite
WPS Office - Free Office Download for PC & Mobile, Alternative to MS Office

I tried the first two above, and I like them very much. You can open Microsoft Office documents with them and Microsoft Office can open files created with them.

It's your decision. However, do not install anything yet.


3. Encrypted files

I asked you and I think you didn't reply about this. Are your documents encrypted? If yes, the usual reply is that they can't be decrypted now. But we will do some search about this, at the end of the procedure.


4. Corrupted files

We are going to check this after I review your fresh logs in a while.

 

[DR M]

Let's perform DISM/SFC with FRST.

• Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.

Start::
CloseProcesses:
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::

• Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
• Press the Fix button once and wait.
• FRST will process fixlist.txt
• When finished, it will produce a log fixlog.txt on your Desktop.
• Please post the log in your next reply.

 

[Soor]

1. Preinstalled software

Although I don't recommend this, and I would go to uninstall everything

I was ok at first, but some options are shown as the file location instead of the name of the option.

For example, in the power options, there used to be an option called "Battery Health", which is now shown as "C:\ProgramFiles\.....".

And I have used SupportAssist for checking driver updates.

That's why I wish to restore the pre installed softwares.

Please, if you want to restore these programs, do not do that now. Wait for the cleaning procedure to complete first.

Alright, I'll do that later .

2. Microsoft Office

In case you just want an Office Suite, no matter it is Microsoft's, you can try some free alternatives:

I tried the first two above, and I like them very much. You can open Microsoft Office documents with them and Microsoft Office can open files created with them.

It's your decision. However, do not install anything yet.

Ah, I'll definitely give the alternative(s) a try. Ok, I won't be installing anything now.

3. Encrypted files

I asked you and I think you didn't reply about this. Are your documents encrypted? If yes, the usual reply is that they can't be decrypted now. But we will do some search about this, at the end of the procedure.

A total of 4 or 5 documents were encrypted, out of which only one is important (meaning it has some personal information). The file is not needed for use anymore.

4. Corrupted files

We are going to check this after I review your fresh logs in a while.

Alright.

Thanks.

 

[Soor]

Please post the log in your next reply.

Log:

 

[DR M]

No result, so we are going with the old good method.

Run Deployment Image Servicing and Management (DISM)

• Click on the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator
• Enter the command below and press on Enter;

DISM /Online /Cleanup-Image /RestoreHealth

• Let the scan run until the end (100%). Depending on your system, it can take some time.
• Please post here the result you got (a screenshot).

When DISM finishes, you can then run SFC from the same command prompt window, but full instructions as if starting fresh:

• Click on the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator
• Enter the command below and press on Enter

sfc /scannow

• Let the scan finish.
• You will normally get one of the following results:
  

  Windows Resource Protection did not find any integrity violations
  Windows Resource Protection found corrupt files and successfully repaired them
  Windows Resource Protection found corrupt files but was unable to fix some of them
  Windows Resource Protection could not perform the requested operation

  Please post the result you got (a screenshot).

 

[Soor]

Run Deployment Image Servicing and Management (DISM)

• Click on the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator
• Enter the command below and press on Enter;

DISM /Online /Cleanup-Image /RestoreHealth

I got this:

Error: 87

DISM doesn't recognize the command-line option "RestoreHealth".
For more information, refer to the help by running DISM.exe /?.

The DISM log file can be found at C:\Windows\Logs\DISM\dism.log

Edit: The scan is working now. I guess I would've made some errors while typing the code. Sorry.

 

[Soor]

Result:

Doubt: I ran DISM without using the internet. Should internet be used while running DISM?

 

[DR M]

Yes, please do the above actions again, with internet.

DISM first.

You can always use copy/paste functions instead of typing in the Command Prompt window.

 

[Soor]

Yes, please do the above actions again, with internet.

 

[DR M]

Hi, Soor.

Let's try this:

Troubleshoot

• Press Win + i on the keyboard to open Settings.
• Choose Update & Security (Windows Update, recovery, backup).
• Shift to the Troubleshoot option in the left pane.
• Look for Windows Update under the title Additional Troubleshooters and select it in the right pane.
• Click on the Run the troubleshooter button appeared just now.
• Follow the on-screen instructions to complete the rest process.
• Try to run DISM command here and let me know the result.

If this doesn't work:

• Click on the Start button and in the search box, type Command Prompt
• When you see Command Prompt on the list, right-click on it and select Run as administrator
• Enter the command below and press on Enter;

  Dism /Online /Cleanup-Image /StartComponentCleanup

• Let the scan run.
• After this, try again the DISM command here and let me know the result.

 

[Soor]

Troubleshoot

I did that and started the DISM. It's been more than 30 minutes, but the process has not started yet. Shall I try the second method? Or shall I wait for some more time? If so, how long should I wait?

 

[DR M]

Wait another half an hour and let me know. No errors, right?

 

[Soor]

Wait another half an hour and let me know. No errors, right?

Ok, I'll wait for another half an hour.

There are no errors as of now.

Edit:
The troubleshooting process was slightly different from what you had mentioned above. The process I did:
1. In the Control Panel, clicked on Troubleshooting.
2. Selected "Fix problems with Windows Update" under System and Security".
Two issues were fixed.

 

[Soor]

Update: The DISM process has started. Now at 20%.

 

[DR M]

OK. Let's see how it goes. Hopefully it will get completed without errors.

 

[DR M]

Edit:
The troubleshooting process was slightly different from what you had mentioned above. The process I did:
1. In the Control Panel, clicked on Troubleshooting.
2. Selected "Fix problems with Windows Update" under System and Security".
Two issues were fixed.

That's because you went via Control Panel and not via Settings.

 

[Soor]

Error again

That's because you went via Control Panel and not via Settings.

Yes, I could not find the troubleshooting option in Settings, so I used the other way.

By the way, I didn't reboot my laptop after the troubleshooting.