Re-occurring virus... Even after a format.

[hoduken]

I'm using Windows 10.

I got a virus last week. Really nasty. It deleted malware-bytes & avast, prevented me from copying files, added an administrator account, prevented me from accessing certain websites, etc, etc.
Chameleon wouldn't run, any programs that might have gotten rid of it were deleted. USB drive with any relevant files resulted in a USB drive that wouldn't show up in explorer.

I decided I wasn't going to deal with it so I formatted. Two days later, got it again.

I installed a fresh windows 10 (legal), Steam, Dropbox, Malware-Bytes, and Google drive. Nothing else.

I haven't used the USB drive again, I haven't done anything but access websites I usually access... nothing shady. After the fresh install I ran a full scan from the paid version of Malware Bytes. Everything came up clean. Downloaded the paid version of bit defender, full scanned the whole computer. Everything clean. 

Virus comes back during a copy of old files from D drive. All the same symptoms, all antivirus is deleted, etc, etc.

I reformat, do it all again. Virus comes back and i'm able to confirm how to reproduce it.

I've found that I can reproduce my machine becoming unusable by copying files from one hard drive to the other. It will freeze on a random file. Canceling just freezes up explorer, then everything flickers and stops running until a restart happens. Upon restarting windows shows no icons, all anti virus is uninstalled, (This time both malware bytes & bitdefender) and I'm unable to use my computer until a couple more restarts. Eventually, I can get into windows and I am no longer the administrator. A new account is on my computer and all anti virus is gone and unreachable.

Any advice on how to clean infected files would be nice. Otherwise I guess I have to just format everything, even stuff that wasn't on C:. This would result in data loss of both backups and current files. Nothing is encrypted, but I cannot copy it without windows exploding. Anti virus, anti malware all comes up negative.  

Thoughts? 

Addition.txt

FRST.txt

Edited November 20, 2017 by hoduken

[hoduken]

UPDATE: I'm thinking my files might be slowly being encrypted. I've run CryptoLocker Scan Tool, it says that many files may be encrypted. If ran, or copied, these files seem to reinstall whatever the virus is and the encryption process starts again. I'm reading about ransom-ware and people are saying that it isn't supposed to self replicate like that... Just letting everyone know my observations.  

I hope i'm wrong. I hope that the "may be encrypted" is a false positive. But anytime a file is copied, my computer freezes, and all anti virus is deleted. Nothing is ever detected as a virus before hand. 

What am i missing?  

[kevinf80]

Hello hoduken and welcome to Malwarebytes, Download and install McShield from here: http://mcshield.net/ that is a free to use tool that will run in the background and help to stop cross infection from USB devices, Hard drives etc... Next, Can you tell me if this program is known to you and trusted: GoTo Opener Next, Open Malwarebytes, from the main interface select > Scan > Custom Scan > Configure Scan > Ensure the following are all Checkmarked :-   Scan Memory Scan Startup and Registry Settings Scan within Archive Scan for Rootkits Also ensure all Hard Drives are selected... When all of those settings are chemarked select "Scan Now" option.... Make sure any found entries are quarantined, also reboot if prompted... To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Thank you, Kevin

[hoduken]

thanks for the reply. 

I've followed your instructions. Goto Opener is gotomypc. It's legit.

I formatted again. Fresh install. All drives formatted. On first boot explorer is redirecting to malicious sites and crashes over and over. Anti virus didn't catch any issues. I can attach the files if you'd like. 

Mcshield does detect one of my usb sticks has a virus. Though, after the message comes up it says its clean... it's not though. The message that its infected comes up everytime i plug it in. No antivirus detects anything on it. Not sure how I can clean it if mcshield, bitdefender, and malwarebytes doesn't see anything.

Any thoughts? 

Edited November 20, 2017 by hoduken

[hoduken]

UPDATE: Any flash drive i use to install windows gets infected. Not sure how to fix that. 

[kevinf80]

What are you using to install Windows. Installation DVD or USB

You mention all drives have been formatted, so before you make a fresh install are all of these drives clear...?

Drive c: () (Fixed) (Total:222.97 GB) (Free:181.2 GB) NTFS
Drive d: (Storage & Games) (Fixed) (Total:3725.9 GB) (Free:2314.12 GB) NTFS
Drive e: (Dropbox & Google Drive) (Fixed) (Total:3725.9 GB) (Free:3396.4 GB) NTFS
Drive g: (ESD-USB) (Removable) (Total:7.45 GB) (Free:3.35 GB) FAT32 <-------- Is that usb used to reinstall windows...?
Drive m: (Unused) (Fixed) (Total:3725.83 GB) (Free:3654.53 GB) NTFS

Can you disconnect all Hard Drives except for C:\ with windows installed......

Next,

Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)   The file will be randomly named Reboot to safe mode <<<<<------------ http://www.computerhope.com/issues/chsafe.htm Run Dr Web Tick the I agree box and select continue Click select objects for scanning   Tick all boxes as shown Click the wrench and select automatically apply actions to threats   Press start scan The scan will now commence   Once the scan has finished click open report <<<--- Do not miss this step   A notepad will open Select File > Save as.. Save it to your desktop This log will be excessive, Please attach it to your next reply… Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Attach log from DrWeb and both logs from FRST... Thanks, Kevin...

[kevinf80]

Any progress...?

[kevinf80]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!