Jump to content

Virus not being found


Recommended Posts

I'm not sure, I know there is a virus on my machine that keeps opening 32 bit applications, its a 64 bit windows 10 machine.  I cannot locate whats been installed.  I'll notice in my task manager there are several 32bit applications that are already running in 64 bit.  Really hard to explain.  When not in safe mode, my network changes my browsers to not allow pages, or enables a proxy server.  All the adware scanners and services cannot find the actual virus.  So I don't even know what virus it is. 

Link to post
Share on other sites

I also know its a Deep embedded issue, because 1st thing after installing a clean install of windows, its loading right back to my machine.  I've installed windows 5 times on this, and every install gets immediately infected.  I don't even know what page the virus was downloaded from.  My system has 1 HDD and 1 MSATA I've deleted all the partitions and installed windows clean, (2 times with no network enabled, and was able to determine it was coming from onedrive, Yet I've deleted everything in onedrive, but its coming back.  I'm ready to pull my hair out on this LT.

Link to post
Share on other sites

Can you Uninstall Spybot S&D. https://www.safer-networking.org/faq/how-to-uninstall-2/

Reboot when complete, then run FRST again with the following settings:

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

 

 

Link to post
Share on other sites

Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

One other point, 32 bit software does run on 64 bit systems...

Thanks,

Kevin

fixlist.txt

Link to post
Share on other sites

I have completed the above steps in order, attached are the logs.  As for the 32 bit issue, I only mentioned it because there was a 64 bit of the same application running side by side with the original installed application.  Like my audio driver, in the taskmanager it would show my IDT audio, but it would also show the same icon and program name with (32 bit) after it.

AdwCleanerscan.txt

Fixlog.txt

SophosHomeClean_20180321_1829.log

Link to post
Share on other sites

Its working a little better, but there are still some concerns, spyware program keeps finding a cookie in a file that seems to be hidden.  Path: C:\Users\Dell-PC\AppData\Local\Microsoft\Windows\NetCookies.

There is no netcookies in that folder (appdata is a hidden folder) So i know I have hidden folders showing.

As for everything else, it seems to be stable for the most part, but not running completely back to normal.  There are still a lot of double processes in my task manager one is usually normal, the 2nd shows up as (32 Bit) Ive taken some screen shots for you.

Also HItman pro is not showing up in my installed programs.

 

Image 1.jpg

Image 2.jpg

Link to post
Share on other sites

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


I ask that you run Sophos virus removal tool in reply #10, you posted a log from Sophos Home Clean, that is different program...?

Link to post
Share on other sites

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Thank you,

Kevin
Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Link to post
Share on other sites

Thank you so much for all of your help!

Okay it ran did not find any issues, but it provided 2 logs, I have attached both, but what is happening now, is in the start up of Task manager I may have finally found what the virus is,  There is a CONHOST.exe in my "Startup" for my touchpad, I've also included a screen shot of that.

SophosVirusRemovalTool.log

SophosVirusRemovalTool_cloud4.log

Image 3.jpg

Link to post
Share on other sites

I would expect Conhost to be legitimate. Can you open Task manager again, right click on Conhost entry, select "Open File Location" when that location opens right click again on Conhost and select "Properties" In the new window select "Digital Signatures" 

Let me know location and the name of the Signer for Conhost

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.