[SOLVED] Malware + CSI Payload corrupt

Soor

Well-known member
Joined
Dec 18, 2021
Posts
50
Hi.

I have a Dell Inspiron 15 3542 laptop.

Yesterday, I downloaded, extracted and ran a crack software (MY FAULT), which brought virus to my pc. Many unwanted applications were installed after that and slowed down the PC. So I tried the sfc scannow and got the message "Windows resource protection found corrupt files but was unable to fix some of them. Then I tried running DISM, but cancelled it as it did not start.

And I did a full scan overnight using Kaspersky AV. The reports showed me some more virus files than what I could find in the Quarantine.

I guess all the unwanted applications have stopped running as AV stopped them. But the files are still present in the system, which may be disinfected upon rebooting.

Kaspersky AV wants me to reboot PC but I am afraid to do so (fearing I may face OS failure since I don't have any backup :/).

The corrupt CSI Payloads:
amd64_cpu.inf_31bf3856ad364e35_6.3.9600.16384_none_4e08baa9c3582627\intelppm.sys

amd64_cpu.inf_31bf3856ad364e35_6.3.9600.19780_none_4e047cc1c35c024a\intelppm.sys

amd64_prncacla.inf_31bf3856ad364e35_6.3.9600.17415_none_95dd5540d57f8c01\Amd64\CNBJ2530.DPB

What can be done? Please help me!
 
Since the computer got infected, it must be checked for malware first and then fix corruptions.
 
Hi, Soor.

I see that the topic has been moved to Security Arena.

So, let's make it official. :-)
Welcome to Sysnative Forums.
EPFGbk7.gif


I will be assisting you regarding your computer's issues. Here, we will check your computer for malware.

Please, adhere to the guidelines below, and then carefully follow, with the same order, all the instructions after:

1. Always ask before acting. Do not continue if you are not sure, or if something unexpected happens!

2. Do not run any tools unless instructed to do so. Also, do not uninstall or install any software during the procedure, unless I ask you to do so.

3. If your computer seems to start working normally, don't abandon the topic. Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.

4. You have to reply to my posts within 3 days. If you need some additional time, just let me know. Otherwise, I will leave the topic due to lack of feedback. If you are able, I would request you to check this thread at least once per day so that we can resolve your issues effectively and efficiently.

5. Logs from malware diagnostic or removal programs can take some time to get analyzed. Also, have in mind that all the experts here are volunteers and may not be available to assist when you post. Please, be patient, while I analyze your logs.


==========================

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your antivirus software detects the tool as malicious, it’s safe to allow FRST to run. It is a false-positive detection.

If English is not your primary language, right click on FRST.exe/FRST64.exe and rename to FRSTEnglish.exe/FRST64English.exe

  • Double-click the FRST icon to run the tool. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please attach the content of these two logs in your next reply.
 
Thanks for your reply.

Currently there are no issues in AV except the AV asking for a reboot . When I viewed the scan report, it says either "Disinfection not possible" or "Malicious object detected". The reason being "Postponed" or "Expert analysis/Machine learning" respectively.

But when I viewed the quarantine, it shows status as "Deleted/Will be disinfected after restart".

Also, 3 virus files, which are in the system memory, are not present in the quarantine.

What to do?

Thanks again.

Edit: I have not turned on the internet since I started the full scan yesterday. When the internet was turned on during the time of attack, I was getting constant "Access denied" notifications by Kaspersky AV.
 
What to do?

The logs I asked you to attach will give us information about what is happening in the computer. If the infection is really gone, if there are malicious remnants, if a further check is needed.

I have to see them before I can give you any recommendation. Feel free to run the FRST tool and let me review the logs for you.
 
I got "The stub received bad data" during the first try. But FRST managed to open during the second try.

Attaching the logs:

Edit: Are logs not being attached or are they invisible to me?
 
It seems that they are not attached.
 
Logs

Edit: Facing same problem again. Will try reattaching once more. Sorry.
 
OK. Let me know when you are ready.
 
Thank you.

It seems that the computer is infected.

Please give me a couple of hours to review the logs and provide my first comments/instructions.
 
Hi, Soor.

Please do the following:

1. Find some necessary stuff
  1. An empty USB flash drive
  2. A healthy computer (either yours or a friend's)

2. Protect the healthy computer and download FRST on the USB drive

Using the healthy computer:


2.1. As a layer of protection, to ensure autorun is blocked on the flash drive, install on the healthy computer dr_Bora's program, MCShield::Anti-Malware Tool::. This tool is a resident drive detector and scanner, meant not just to block the autorun.inf, but also to clean the malicious files from the drive.
  • Download it from here: MCShield
  • Save it on your Desktop.
  • Double click the MCShield-Setup.exe on your desktop, and follow the instructions until it gets installed (Yes, Next, I agree, Next, Install).
  • Click on Run to let it run.
  • Go to the General tab in the menu at the left and tick the option Always show the log file in case of infection.
  • OK and close the window.
2.2. Download the right version of FRST for your system, and save it on your USB drive.
Note: If you don't know which one to download, download and save both on your USB drive. Only the right version will run on your system, the other will throw an error message. The one that works is the one you should be using from now on.


3. Enter System Recovery Options from the Advanced Boot Options

Using the infected computer:
  • Start by shutting down your computer.
  • Press on the power button on the case to turn it on.
  • After the computer is about 3 - 5 seconds into the boot-up process, hold down the power button to shut down the computer.
  • Repeat the above process once again.
  • For the third time, turn on the computer and allow it to boot up.
  • If you completed the process correctly, a message saying Preparing Automatic Repair should appear.
  • In a few seconds, another message will appear stating Diagnosing your PC and Automatic Repair will open.
  • When you reach the Automatic Repair screen, click on Advanced Options.
  • At the next screen, select Troubleshoot.
  • When you see the next screen, select Advanced Options.
  • You will get the following options:
    • Startup Repair
    • Startup Settings
    • Command Prompt
    • Uninstall Updates
    • System Restore
    • System Image Recovery
  • Select Command Prompt.

Run FRST from the Command Prompt
  1. In the black window that will open, called command prompt, type notepad and press on Enter.
  2. Notepad will open. Click on the File menu and select Open.
  3. Click on Computer, find the letter for your USB Flash Drive, then close the window and Notepad.
  4. In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe) and press on Enter. As I told you before, run both of them if you are unsure about the architecture (x32 or x64) of your computer. Only the right one will run. IMPORTANT: Replace the letter e with the drive letter of your USB Flash Drive.
  5. FRST will open.
  6. Click on Yes to accept the disclaimer.
  7. Click on the Scan button and wait for the scan to complete.
  8. A log called FRST.txt will be saved on your USB Flash Drive.

4. Provide the FRST.txt

Using the healthy computer:

Insert the USB drive, open the FRST.txt, copy its content and paste it here, in your next reply.


P.S. The reason I asked you to find a healthy computer is to make sure that the usb stick with the FRST in it won't be infected. If there is no way to find a healthy computer, then do the step 2 above using your computer.
 
Steps 1 and 2 are done. I am hesitant to proceed to the 3rd step. What if windows doesn't start up normally after doing all these?

Should I buy an external Hard drive and backup the needed files from my laptop and scan the external hard drive for viruses using the healthy computer? I am asking this because my laptop has only one partition (C drive) which consists of the OS and all the data.
 
I am hesitant to proceed to the 3rd step. What if windows doesn't start up normally after doing all these?

There is always a possibility something to go wrong and it's good to backup your important data first.

However, I don't think that running FRST in Recovery Environment will make the PC un-bootable.
 
There is always a possibility something to go wrong and it's good to backup your important data first.

However, I don't think that running FRST in Recovery Environment will make the PC un-bootable.
May I know what I can do now? Should I backup first before proceeding? If so, I have to place an order for an external hard drive. And we have to wait till then.

Also, is backing up of data from the infected pc and scanning for viruses using the healthy pc a good idea?

Thank you for your prompt replies :)
 
Also, is backing up of data from the infected pc and scanning for viruses using the healthy pc a good idea?

Backup is always a good idea. :-)

Backup from a rootkit infected computer is not always a good idea. But in case something goes wrong, it can save you.

Personally, I would run FRST from Recovery Environment.

But if you hesitate to do that, it's fine with me. I recommend you not to use the computer in the meanwhile.
 
Sure.

Let me know when you are ready.
 
I'm not ready yet. Please do give me some more time (day/days). I'll tell you when I'm ready.

By the way, my laptop has original OS (Windows 8.1). I don't know whether this information will be of use to you, but I thought of saying it to you.

Thank you.
 
Yes, I do know that the computer is running with Windows 8.1 and it's an important information.

Just let me know when you are going to be ready. I will be here. :-)
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top