Jump to content

Only Defender full scan finds these trojans


Recommended Posts

I'm believe I'm running both Windows Defender and Malwarebytes side-by-side as routine scans, as I get regular notifications from both of them, BUT -

Sometimes when I run a Defender full scan it comes up with "severe" trojans that have not been identified by the routine scans of either anti-virus - please see attached screen-shot.

Could someone explain what I may be doing wrong please.

VirusByDefender19jun2020.jpg

Link to post
Share on other sites
  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

Hello Steve.    :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

 

Windows Defender & Malwarebytes for Windows each have different designs and their own detection engines.

Windows Defender can monitor file types that are not scanned by the Malwarebytes.


I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
    


    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.1.784.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Please know I help here as a volunteer.  and that I am not on 24 x 7.
Help on this forum is one to one.   Again, please be sure to ONLY attach report files  with your reply (s)  as we go along.  Do not do a copy / paste into main body.
Thank you,
Sincerely.
 

Link to post
Share on other sites

Hi Steve.   Thanks for the report.   You certainly are welcome to reply when you are ready.

The report shows that the pc has the latest Malwarebytes for Windows, with Component package 1.0.955

I am happy to see it is up to date.

We can do different sets of scans with different tools to check the system.   We will just take our time in doing so.

The last 2 scans with Malwarebytes for Windows are good.

.

Let us start with another tool to check for adwares.

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner  detects factory Preinstalled applications too! 

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 
Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.
NOTE:  When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs
Thanks.  Keep me advised.   We will do more later.
 

 

Link to post
Share on other sites

Hi Maurice - I've run AdwCleaner, but didn't get what I expected from your' description.

After the scan it only offered to quarantine some preinstalled software, so I "Cancelled" on this, then went to "log files" (not "reports") where I only found a "scan" type file, that I saved and have attached, but which seems to say that nothing suspicious was found.

Regards, Steve

AdwCleaner[S00].txt

Link to post
Share on other sites

You did fine.   Thanks for the Adwcleaner report.

Now we move on to other scans.   Different tools.

 

The Windows defender can be run from  a elevated Command prompt.   Just remember this here is customized 

 

On the Windows taskbar ,  on the Windows search box,  type in

cmd.exe


and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.

At the Command prompt either type or copy/paste the following commands, tap  Enter-key after the command:

 

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1

then tap the Enter-key to get that going.

 

You will see this as initial on-screen display

Scan starting ...

 

Have patience during the run.   Wait for this display

Scan finished.

Then look for the bottom line result.   Jot that down for your records.

When all done, you can Close the command-prompt window.

Link to post
Share on other sites

Per the screen image capture,  it did run the scan.   It just did not 'show"  any verbiage about the result.

 

First, set Windows File Explorer to show ALL folders & files & hidden items

Dot not let the details or number of lines below spook you, please. It is all do-able and needed. 
Just take your time. 
 

Windows File Explorer needs to be  set to show ALL  folders, all system files,  etc  including hidden files / folders 

Open Windows File Explorer. 

  • Select View   from its top menu bar  >   click Options  on the icon at the far right-side > Change folder and search options   ( from the drop down ). 

  • on the next multi-tab mini-window 

  • Select the View tab and, in Advanced settings,  

  • select Show hidden files, folders, and drives  

  • and OK. 

 

 

We should be able to find the run log for Windows Defender.

The log will be found at
C:\Users\steph\AppData\Local\Temp\MpCmdRun.log

 

 

Link to post
Share on other sites

Thank you so much.  The log reports it detected ZERO threats.

Let us proceed and do a couple of other different scans,  just to check this system.

[    1   ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply, later, as you get the time..

 

[    2    ]

Next, do this.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.
Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

Then, also, let me know,  How is the situation now ?

Link to post
Share on other sites

Hi Maurice, I've done the Microsoft Safety Scanner run and the log file is attached, but I'm having trouble getting to the ESET exe file that you gave me.

When I click the SCAN NOW, the file it downloads is esetonlinescanner.exe, not the esetonlinescanner_enu.exe file that you suggest, and the SCAN NOW I've clicked on is in a drop-down banner from the header that only appears as you scroll down then back up the page. I've also attached a screen-shot of the ESET screen I'm looking at -

Regards, Steve

 

ESEThomepage.jpg

msert.log

Link to post
Share on other sites

Hi.   Look quite carefully when you first get to the ESET website.

Once on the site,  look on the left side.   Click on the button   ONE-Time scan

That will begin the download.

Link to post
Share on other sites

Hi Maurice, I've clicked on the ESET ONE TIME SCAN button as you said, but its downloaded exactly the same exe file as before - as esetonlinescanner(1).exe - Which I tried running, but quickly got into trouble.

All went ok until it got the a screen saying something like "Whats the problem with your computer?" and showing some options, but I'm not exactly sure what it showed because it only displayed briefly before going all black on me.  I left it for a bit then clicked on this black window, only to get the "not responding" message offering "wait" or "close".  I clicked on "wait" and still only got the black display so then clicked on "close".  I wondered if having 2 similar exe files might be upsetting things, so deleted yesterdays file and renamed todays to get rid of the (1), but now when I try to run the exe nothing happens, although as you can see in the attached screenshot it is still showing in the Task Manager Process list.

Please advise further, Steve

 

ESETNotResponding.jpg

Link to post
Share on other sites

Hi Maurice, I've also just noticed that if I hover my cursor over the ESET ONE TIME SCAN button ,the link shown at the bottom of the screen does refer to the filename esetonlinescanner_enu.exe that you expected - see attached screenshot -  but that is not the filename that is actually being downloaded. Is it possible that ESET have an error in their link?

Regards, Steve

ESETNotResponding#1.jpg

Link to post
Share on other sites

I just do not know how or where .....but it just seems you either got lost or got a other file from ESET.

Lets scratch / cancel the suggestion.   Delete the file that you saved.

.

You can run another scan to scan this system.

Dr.Web CureIt is the name of the tool.

Do not click on the small popup mini-window that shows up.   Look for the green color button that says "Download Dr.Web CureIt"  with the down-arrow icon

image.png.89e510f058b59b38d7abd400ffb3f917.png

 

Download Dr.Web CureIt to the desktop. 
The download is nearly 208  MB in size

 

After the download is completed, then close the browser and all other web browsers too.

Use the Windows File Explorer to go to the Downloads folder.

 

doubleclick on  the download file file to start the tool.     ( drweb will randomize the name of the file when you download it )

 


⦁    You will see a screen similar to this:

drweb-1.jpg.d19c089d11f5b87d91965b11ad62ca17.jpg


 
Click the checkbox to participate, and then click on Continue button.

 


⦁    Next

drweb-2.jpg.d5bdb76dc769a35fe9b643c90dddb7b0.jpg


 
Click on Select objects for scanning
⦁    Next

drweb-3.jpg.2b2fa047cb9a0e7fcbdd5c69a73fa694.jpg
 
Put a checkmark by clicking on all the boxes    EXCEPT for

"Temporary files"

"System restore points"


Do not select Temporary files or System Restore points.


Then click on Start scanning button

⦁    The scan in progress will be shown like this

 

drweb-4.jpg.6f5db8bfbc2db1162e72a626053fe62a.jpg


⦁    IF something is detected, you will see a screen similar to this

 

image.png.75d975285e7cd0b1ea4d39b61fca8f9a.png


 
For each item "detected", click on the Action column down arrow, like this
 

image.png.5c1e515f37a43ca9a954c0ee5f4b0f4c.png

Your options will be Cure or Ignore

IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
Typically, you will keep the Cure default.

Then click on the Neutralize button.

 

⦁    When the actions are completed, you will see this

image.png.248b34e853c772318a415fb88ef452b4.png


 
⦁    Click on the green Open Report line. It will pop-up the report in NOTEPAD.
Save the report to your desktop. The report will be called Cureit.log
⦁    Close Dr.Web Cureit. 
⦁    Reboot your computer to allow files that were in use to be moved/deleted during reboot. 
⦁    After reboot, attach the log Cureit.log you saved previously in your next reply. 

 

Have patience in all this. 

Link to post
Share on other sites

Sorry Maurice, but this application won't run either!

I followed your' instructions carefully to the point of double-clicking on the downloaded file, then - nothing - except that File Manager HUNG UP permanently (see attached photo showing file (~216MB), cursor and hourglass) and could not be moved, minimised or closed, and then when I tried to get Chrome back up to report this to you it opened but would not connect to the internet!

I had to shut down the computer and restart it twice before Windows would fire up again....

I have to say that this process is beginning to get frustrating. Please allow me to let you know that I have worked with computers for many years as a qualified electrical and control systems engineer, so I am reasonably computer literate, but not an expert by any means.

My current concern is that something is fundamentally wrong with either my system, my use of my system, or my set-up of Windows Defender or/and Malwarebytes and that this is allowing these trojans etc to sneak into my system undetected. The fact that now also two anti-virus applications have failed to run on my system leaves me wondering about the validity of my system.

So, I would be very grateful Maurice if you could share your thoughts with me on this and, of course, your thoughts on where we go next.

Best regards, Steve

IMG_20200624_143018131.jpg

Link to post
Share on other sites

Hi.

I appreciate your information.   I regret the trouble you encountered.

Lets just go slower and lets see if the Windows system has logged any events  that may relate to CureIt or some other security program.

These will be just reports.

[    1    ]

Please download MiniToolBox save it to your desktop and run it. 

Reply YES when prompted by Windows to Allow the program to run.
Reply YES when prompted by the tool to proceed.

Checkmark the following check-boxes:
Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Devices
List Users, Partitions and Memory size.
List Minidump Files

Click Go and post the result ( MTB.txt ). A copy  will be saved in the same directory the tool is run. 
Note: When using Reset FF Proxy Settings option Firefox should be closed. 
 

[    2    ]

Download   Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/


and Save to your Desktop.
Right-Click on fss.exe and select Run As Admisnitrator.

Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

  
Click on "Scan".
It will create a log (  FSS.txt    ) in the same directory the tool is run.

 

[   3   ]

Use the Windows File Explorer to go to the Downloads folder/

Run report with FRSTENGLISH

Right-click on FRSTENGLISH   and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.
 

_Windows  10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._

Click YES when prompted by Windows U A C prompt to allow it to run.
Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.


Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

Click Yes when the* disclaimer* appears in FRST.
The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).
Press Scan button and wait.

image.png.17de9bf78b899e51c882cf9fc391ad


The tool will produce 2  logfiles on your desktop: FRST.txt , Addition.txt 
Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

Please attach these 2 files to your next reply.

also attach   FSS.txt into your reply. 

 

Link to post
Share on other sites

be sure to not overlook my prior reply  ^^^^

This is an additional note.   Google Chrome looks to be the default browser.   For the time being,  just try using the EDGE browser instead.

additionally, always  first Save any download.   keep saving to the Downloads folder   ( or else, the Desktop).

Then if you need to run a download, only use File Explorer to go to that download location.    then start the tool or report or whatever from there.

If you are already doing that, then great.

Keep having patience.   We will eventually figure out what the mystery is.

Link to post
Share on other sites

Hi Maurice, First let me thank you for all of the time and effort you are putting into helping me.

I did another Defender Full Scan yesterday, before some banking work, and nothing was found.

This last exercise all seems to have worked and I'm using the "new" EDGE browser on this investigation now, BUT did you intend me to use EDGE for all my browsing until we resolve this issue?

All four files are attached and, whilst I've had a browse through them, very little makes any sense to me.

Thank you again, Steve

Addition.txt FRST.txt FSS.txt MTB.txt

Link to post
Share on other sites

Hi Steve.   Thanks so much for all the reports.   I am glad that you have been able to do ( at least) these downloads & these runs.

For the duration of this,  and as long as EDGE does work, lets just keep using it.

Thanks for your ongoing patience & understanding as we continue with this situation.    It is a bit of a mystery why the DrWeb Cure-It or ESET Online scanner  apparently did not "start".

 

Lets do a new scan with the Malwarebytes for Windows which is presently on the machine.

 

Run a scan with Malwarebytes for Windows.
Start Malwarebytes from the Windows  Start menu.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed.    Let it remove what it has detected  ( if anything).

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

Lets see what the result is,  before we attempt some other measure.

Link to post
Share on other sites

Hi Maurice, Done as you asked and MB found nothing so nothing to quarantine - BOTH Summary and Advanced reports attached. 

BUT, an interesting event this morning in that Windows Defender Security Centre would not open - its window popped up, but the little blue dots just kept on rolling across the top!

 (I'd a current notification that Windows Defender had run 4 times since the last notification and dealt with 9 threats, so I wanted to check if these were new or historical since I'd only just had a clear full scan recently.)

Had to shut down the PC and restart (twice again) then opened Security Centre ok and I could see that the threats were historical, the ones of my initial post.

Best regards, Steve

MBScanAdvanced26jun2020.txt MBScanSummary26jun2020.txt

Link to post
Share on other sites

Hi.  Good afternoon, Steve.

Thanks for the reports.

I suggest we do a custom script run to take care of some issue.  There are 2 files of Mcafee leftover in firewall rules That ought to be removed. and there are around 5 files  ( which now should be gone) that Windows Defender had tagged that I would like to check on.

I also would like to do one run of the Windows System File Checker tool.

My current thinking is that 'perhaps' the Windows SmartScreen protection had silently blocked your prior 2 attempts to run the 2 special tools.

 

[     1    ]

The tutorials below can help show you how to turn off Windows Defender Smartscreen 

These are intended to be temporary measures. 
 
Change Windows SmartScreen Settings in Windows 10 Security System Tutorials  
 

 

 [    2    ]

This custom script is for  Stevep47   only / for this machine only.


Close and save any open work files before starting this procedure. 

I am sending a  new  custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please do have  continuing  patience    Thank you.

Fixlist.txt

Link to post
Share on other sites

Sorry Maurice, but I'm not sure I understand everything that you need me to do -

You mention running the Windows System File Checker tool, but then you don't say anymore about it.

The two tutorials you give for turning off Smartscreen seem to turn off different things, #1 - Check apps and files. #2 - SmartScreen for Microsoft Edge

     Q1 Do you need me to turn off both of these and also when and for how long?

     Q2 Do they need to be turned off for the run of FRSTENGLISH that you are asking for?

Thanks, Steve

Link to post
Share on other sites

I meant to turn off Smartscreen like in the 2 citations I listed above.   Keep them off for the time being, so you can do all that I last listed.

Part of the special Fix script I provided will be the one running the System File Checker tool,  as part of its run.

The answers to your questions are....  Yes to Q1  & to Q2

 

After the Fix run i all done,  then you may go & re-enable the SmartScreen feature.

Cheers.

Link to post
Share on other sites

Thank you for the clarification Maurice.

This all seems to have gone ok.

The File Checker also seems to have corrected some issues, so I've saved the CBS.log file in case you want to have a look at it.

SmartScreen is re-enabled.

Regards, Steve

Fixlog.txt

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.