Jump to content

**Noob with BIG problems!!**Virus keeps reinstalling after CLEAN INSTALL


Recommended Posts

Hi Txman700.

I will be helping and guiding you, going forward.

Thank you for the FRST reports and for the Malwarebytes scan report.
Malwarebytes reports no malware, no P U P.

What do you see on your machine that you describe as "virus"?   what is going on exactly?  where is it ?  How do you see "it"? "where" do you see "it"?
Does it involve a web browser ?

See this Malwarebytes article that describes different types of malware.
Be sure to focus on the section "What are the most common forms of malware"
https://www.malwarebytes.com/malware/

By the way, this PC has Avast Free Antivirus.   What has Avast antivirus found or reported?

Also, what "clean install" are you referring to in your original post?

 

Windows 10 comes pre-built with the Microsoft Windows Defender, which is a excellent and powerful antivirus.
It looks as if you just very recently installed Avast.

That had the effect of disabling Windows Defender antivirus.

Link to post
Share on other sites

Hello Maurice,

 

Thank you in advance for your help.  My computer would't boot to windows so I tried to restore it but it said my drive was locked, tried repairing it, that didn't work, so I had to do a clean install.  However after that I'm noticing the same things that I did before....unknown users, etc.  FRST gave me an error when I ran it.  I'll attach some screen shots and see if that helps. My computer's OS shows to be Win 8 on the MB scan.  Chrome is acting weird, such as when I go to virustotal to analyze a file, it will analyze but will show the files as "undetected" instead of the default of virustotal.  My computer is attached to a domain now, with Workgroup being the domain instead of Homegroup.  Remote desktop was activated through advanced settings.....Credentials were added with username and password without my knowledge along with a public desktop.  One of the unknown users starts with S-1-15 or something along those lines. Shows I'm connected to an unknown network. It has two keyboards installed in the device manager. PowerShell shows to be using 1.0 spoofed as a more current version.  I'll attach some screenshots and a new FRST and Hitman log. Sorry I know my thoughts are kind of all over the place! This is driving me crazy!

 

Thank you again! Your dedication is above reproach and truly appreciated! Thank you for what you do!

 

Ryan

 

image.thumb.png.ca5b2788bf8a2b33bab728a4883e8f05.png

 

 

image.thumb.png.3dc5e8ea68abc779c9cb46deabad895c.png

 

 

 

credentials.png

unknownnetwork.png

chromeunknownusersandproxy.png

chromex86twosetupfilesandchrome.7zshowsinstalledafterfreshinstall.png

frst.png

windowscredentialsthatwerentaddedbyme.png

windowsoldwindowsnewpublicdesktop.png

FRST.txt Addition.txt HitmanPro_20190602_2030.log

Link to post
Share on other sites

Hi,
Please start by applying the tips on post # 1 of this pinned topic
https://forums.malwarebytes.com/topic/247398-prevent-a-worm-by-updating-remote-desktop-services/?tab=comments#comment-1312776

 

[ 2 ]

Please read all of these lines first so that it is all clear to you about our plan. I need a one time run of MBAR like listed here, please.
Please download Malwarebytes Anti-Rootkit (MBAR) from here this link
and save it to your desktop.

 

Double click on the MBAR file and allow it to run.

•Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

•mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.

•After reading the Introduction, click 'Next' if you agree.

•On the Update Database screen, click on the 'Update' button.

•Once you see 'Success: Database was successfully updated' click on 'Next', then click the Scan button.

With some infections, you may see two messages boxes:

1.'Could not load protection driver'. Click 'OK'.
2.'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

•If malware is found, press the Cleanup button when the scan completes. .

 

please also attach these logs are located in the mbar folder on your desktop where the tool extracted itself to.

mbar-log-2019-06-03  or 06-04  (xx-xx-xx).txt** (where xx-xx(xx-xx-xx) is the date and time of the scan)
+ also
system-log.txt

Link to post
Share on other sites

Hi,

I understand that you have been busy with normal, daily responsibilities & work.

Thanks for relaying the reports from the special Anti-rootkit tool.

There are no rootkits or infection here.

.

What we can do is a new scan with Malwarebytes for Windows, for an additional check.

Run a scan with Malwarebytes.
Start Malwarebytes from the Start menu.

Click Settings. Then click the Protection tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done,  be real sure you Review and have all detected lines  , IF it tags any items, items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed   ( if any are tagged) .

I just want to see what this new Malwarebytes scan reports.

Thank you.

Link to post
Share on other sites

Hello Ryan,

The FRST reports you had provided listed as installed  Malwarebytes version 3.7.1.2839

 

You can use the Windows 10 '  File Explorer to go to the folder  C:\Program Files\Malwarebytes\Anti-Malware

and then double click on MBAM.exe  to start Malwarebytes

Link to post
Share on other sites

Hey Maurice, 

 

Yes sir, I do have it installed and I am updated and I will run a scan as soon as I post this.  One thing that is weird on the scans I have run before is that is shows my OS as Win 8...I'll see if it does this time and post the results.  Thank you for your patience!

Link to post
Share on other sites

The Scan result is perfectly fine.  There is no P U P / there is no malware.  All good.

As to the reporting of the Windows version, I will pass that on to the Malwarebytes team.   That has no effect as to the reported result.

 

Suggestion:

F-Secure Online Scanner is a free scanner tool by F-Secure.
F-Secure Online Scanner searches for and can remove harmful items, viruses, spyware.
Please run the F-Secure Online Scanner

Press the "Run now" button

Press the Save button to save the tool to your system.

Next, go to the Downloads folder where the tool was saved.
Double click F-SecureOnlineScanner.exe to start the tool.


Accept the License Agreement.  Press the "Accept and scan" button.
Press the YES button when prompted by the Windows user account control prompt.

You will then see a scan progress screen displayed.
The scan will take some time to finish, so please be patient.

When completed, Watch to see what the "Scanning complete" screen shows.
{ You can ignore the offer for a trial of F-Secure Safe. }

When the scan completes, and it shows your pc is not safe & shows the F-secure Safe box-logo, you can click the X icon at the far top right to Close the screen.

Let me know what the results of the scan were.

Link to post
Share on other sites

Lets scratch the idea of using the F-Secure scanner.  Go ahead and delete the F-Secure download file.
Lets use another tool from Microsoft.


The Microsoft Safety Scanner is a free stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.
The download links & the how-to-run-the tool are at this link at Microsoft
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Link to post
Share on other sites

This screen is quite similar to what you saw before.  I would try one time to click on Install anyway.  And proceed forward hopefully

 

IF that does not work,  Dismiss that box.

See if you can Restart Windows 10 into "Safe mode WITH Networking"  & once in there go back and retry the Microsoft Safety Scanner.

you can temporarily ( just only for limited purpose) put the system into Safe Mode with Networking,
which would hopefully allow means of doing some diagnostic reports ( later).

Let us see if you could simply just get this machine into SAFE Mode or Safe mode With NETWORKING just so we could look around. That would be strictly temporary.
*Do unplug all devices from your computer, including: Printers, scanners, copiers, external attached devices, etc.*
*The only devices you should leave attached to your computer are your monitor, mouse and keyboard, if the computer is a desktop.*
*And if this PC is a laptop or notebook be sure it is directly connected to Power with power cord.*

Turn off your pc. Wait about a minute.
Restart your pc. And right away, tap & retap the F8 Function-key on your keyboard. 
You should see Windows Advanced Options menu.
Select Safe Mode with Networking

NOTE: if the F8 function key-method did not prove usable, some systems may use F5 instead. 
And on some systems you may need to press the F2 function key to get hardware boot options.

 

Edited by Maurice Naggar
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.