Jump to content

Only Defender full scan finds these trojans

Stevep47
 Share
Go to solution Solved by Maurice Naggar,

Recommended Posts

Maurice Naggar

Maurice Naggar

Posted
Posted

Thank you for the Fixlog.   That is a good run.   None of the documents previously flagged by Windows Defender are around anymore.   That is past history.

The SFC reports doing some corrections.   That is ok.

I would like you to do one other system check.

 

on the Windows search box,  type in 

cmd.exe


and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.

At the Command prompt either type or copy/paste the following commands, tap  Enter-key after the command:

  

DISM /Online /Cleanup-Image /CheckHealth

 

I would like to have the bottom-line summary at the end of that run.

Cheers/

Link to post
Share on other sites
  • Replies 70
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

Maurice Naggar

Maurice Naggar

Posted
Posted

Hi, Steve.    That result is very excellent.

I believe this system is all good-to-go.

I expect that what had prevented the scan runs of ESET Online scanner & the DrWeb CureIt was silent blocking by the SmartScreen protection.

Is there something you need at this point ?

 

In the recent past,  I had you run scans with the Microsoft Safety Scanner, Windows Defender,  Malwarebytes for Windows, and Adwcleaner.

Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

ok Maurice, thank you. I'll see how things go for while, try to do a Defender Full Scan once a week and see if anything comes up.

If I should have further concerns about poor virus detection, should I revisit this post or start a new one?

Best regards, Steve

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Hi Steve.   Good morning.   I will keep this Topic open for a few more days.   Though you should be able to tell / to judge over the next 2, 3, 4 days.

Also, we have determined that the document files that Windows Defender had flagged  are no longer around.

Further, this pc has  Malwarebytes for Windows Premium.  It's daily scheduled scan is one to be considered a reliable tool.

Plus, there should also be a daily scan by the Windows 10'  Microsoft Defender Antivirus.   If it finds a threat, Microsoft Defender will notify and prompt you.

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Hi Steve.

Just from the threat-classification names by Microsoft,  I can tell these are file-types that are not scanned by the Malwarebytes.

Microsoft Windows Defender antivirus does detect them.   You say you have had them deleted.  Did you document the folder locations where they were located ?

Further,  are any of those ones that you yourself possibly downloaded?

or, possibly, were they old documents that you had stored before ?    [ e.g. previously created by you & saved by you sometime in the past ? ]

 

The Windows defender can be run from  a elevated Command prompt.   Just remember this here is customized for C drive.

 

On the Windows taskbar ,  on the Windows search box,  type in 

cmd.exe


and then look at the entire list of choices, and click on Run as Administrator.

 

It is best to  use COPY & Paste for the following.

At the Command prompt either type or copy/paste the following commands, tap  Enter-key after the command:

  

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -file c:\

then tap the Enter-key to get that going.

 

You will see this as initial on-screen display

Scan starting ...

 

Have patience during the run.   Wait for this display

Scan finished.

Then look for the bottom line result.   Jot that down for your records.

 

Edited by Maurice Naggar
Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

Ok Maurice, ran that with result of  - found no threats - BUT -

No sooner had I registered this when up popped a separate notification from Defender that it had found threats, 4 of them, and this time I got the details and quarantined them - please see screenshots.

From what I can make out these look like historical bogus invoice emails that I'm sure I would not have opened any attachments, they even appear to pre-date my purchase of this PC!

What next please?

Regards, Steve

WDTrojan#4.jpg

WDTrojan#3.jpg

WDTrojan#2.jpg

WDTrojan#1.jpg

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

So, it sounds as if a bunch of these are old Emails in Outlook.   If you can find where they are in Outlook, lets have you permanently delete all such email copies   ( sent, junk, Inbox, etc, etc).

Then I have a few followup suggestions for you to do in Windows Powershell    ( including, a different special run of Windows Defender).

Lets take it a bit at a time   first.   Clean  out the Outllook email-message storage of those tagged emails  & any others that are suspicious.

Then, slowly but ever so much with determination.

Start a Elevated Powershell command prompt-window.

On the Windows taskbar, on the Search box, type in 

powershell

Wait and look for the results list.  Click on the line that shows Powershell with "Run as Administrator".

Then you will see the Powershell window.

Into that, we want to Copy & Paste a few specialized command lines.  Do one at a time.   Tap Enter after each one. 

Set-MpPreference -PUAProtection 1

 

At this point, before going any further,  you want to Close and save any open work files / documents.

This next command will initiate  ( should initiate) a offline mode scan of Windows Defender.   It should take something under 15 minutes total. 

Start-MpWDOScan

 

This likely will involve a reboot  and at the end, should return you back into normal Windows.

Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

Thank you Maurice, and thank you also to @Porthos for your thoughts.

I've been through all of my Outlook mail folders and I think I've deleted everything related to these old emails, and a whole lot more besides, just in case.

I also got Defender to "remove" the last 4 trojans that I'd quarantined. Although, its troubling that Protection History still offers me the "Allow" action if I view the details of them!

I did the Powershell run of Defender offline as advised. Saw it start, but didn't watch it go through, although nothing new was reported in Protection History after the PC restarted.

I'll do another Defender Full Scan now and let you know the result.

Thanks again, Steve

Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

Hi Maurice, No threats found this latest full scan, but I'll not relax just yet as previously I could have some clear scans before the trojans would pop up again. 

So, unless there is anything else that you would like me to do, I'll run scans again over the next few days and just hope that they stay clear now.

Best regards, Steve

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted (edited)

Glad to know that the last scan is all good.  Since the last set of flagged items apparently were zip file attachments in Outllook emails ....

I would highly encourage you to be more on-guard, more discriminating about what you keep in the Email store  ( in this case, Outlook).

As you spot emails with zip files, be sure you slow down and ask yourself, did I expect to get a zip attachment from this sender?

Ask yourself do I even do any correspondence with them?

For those emails that you suspect are spam or seem to be outright scams, potential rip-offs, etc,  Delete those emails permanently.

Do not even try to forward them to some other third party.

 

Be extra cautious if you do have what you think are legitimate attachments.  Do not just open any attachment.  Save the attachment first to some temporary folder.

Then go to that folder via File Explorer.  Right click on the save file and select to "Scan with Microsoft Defender".

Then be sure it passes muster.   If not, be sure to delete it there  and off the email message.

 

I always have this advice for folks.

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

F Y I

Malwarebytes for Windows can scan zip files,  but is limited  as far as actual size of it.

Microsoft Defender has a far superior ability to scan and catch different types of file-types that are not EXE / executable type files

.

IF you want to consider,  take another stab at running a different antivirus scanner.    [  The prior attempts I believe were hampered or silently blocked by the Windows Smartscreen protection.]

 

TrendMicro HouseCall scan

https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

 

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.

The program will check with TrendMicro & do a update run.

 

Next it will show the Disclosure window.

Click Next to proceed.

 

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

 

IF you wish a Full scan or a Custom scan, first click on the Settings

then you can select which drives you want to include in the scan.

The default is a Quick scan.

Click Scan now when ready.

 

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

 

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.

If you see an item that you know is safe, you can click the Action  , and select Ignore.

When all done & ready, click the Fix now button.

Edited by Maurice Naggar
Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

Thank you again Maurice. I was already aware of the points you make about email attachments, and I thought I always try to follow them, but clearly I haven't been cautious enough.

It seems to me that my basic problem was not realising that these old emails and their attachments were still stored on my PC. Since I could access them from any other PC I logged into, I'd assumed they were stored on some "Outlook" server somewhere and thus "isolated" from my PC. I know better now!

A few things I don't understand though, if these emails were permanently stored on my PC -

Q1 Why didn't Defender Full Scan find them every time I ran it?

Q2 When I had commanded Defender to remove them, and it claimed that it had, how did they come back?

Q3 If I've got archived infected Outlook email attachments on my PC and I access my Outlook from another PC, does that PC get infected too? Even though I don't access the infected emails?

Could it be that the email files on my PC ARE ALSO stored on some "Outlook" server somewhere,  and that server keeps refreshing my PC files when a difference is detected?

Sorry if these are nuisance questions, but I'm an engineer, I like to understand how things work!

I've also had a look at the Trendmicro Housecall webpage and I'll be following your' advice to do a scan with it shortly and I'll let you know what it finds.

Best regards, Steve

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

Good morning, Steve.

To answer your questions Q1 & Q2:  I really do not know.  I do not know if the same zip file attachments were involved.

 

Q3.   As long as you do not open the zip files,  or cause the content to be "opened" ....your systems are ok.

As long as you delete the email involved, it ought not to "re-appear".

It has been a long time since I used the actual Outlook-app-locally-installed.   Though I tend to recall that by insuring that the email is selected, then pressing SHIFT key then Delete key will permanently delete the message.   The other way, is to go to the Deleted items folder and delete all ( using the Outlook menu).

 

Just by the way, the Microsoft naming convention can make those "threats" seem more scary than needs be.

The point is, if you did not actually open the Zip files and then actually "run" the content,  then you can "breathe easier".

 

Do do the TrendMicro scan.  Lets see the result.  Keep in mind what I said about the Smartscreen protection of Windows 10  ( that it can & does at times, block good tools from running).

It's reputation-based algorithm is not perfect  & is known to have false-positive blocks.   Remember what I said about the over-ride for it.

My goal with the TrendMicro is just to confirm  ( from an independent & trusted tool)   that the pc is free of active  malicious malware.

Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

A bit confusing Maurice. I turned off SmartScreen, downloaded the Housecall exe, and click on Run as Administrator.

At first I didn't think it had started at all, but then I minimised the File Explorer window and there it was hiding behind it!

I then went through the preliminaries and set it to run for a full scan, BUT -

It ran for over 80 minutes, but didn't seem to progress beyond 4%, which it achieved within a few minutes of starting. So I thought I would stop it and try for a more limited C:\ drive scan, but now it wouldn't stop. Task Manager showed it as running and taking up about 30% CPU runtime, and for the first 35 minutes the Antimalware Service Executable was also running with a similar CPU runtime.

It has stopped now, some time after I asked it to, but I'm not sure if it completed the full scan or just eventually responded to my stop request. Please see attached image.

So I'm going to try running it again on a custom scan basis, drive by drive, and see what I get then. I'll let you know.

Regards, Steve

HousecallResult03july2020.jpg

Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

Hi Maurice, I didn't see your last comment until just now, so I have done the individual scans of my C and D drives.

From the time that these custom scans took, over 5 hours for the C drive and ?? for the D drive, left to run overnight, I believe that the first scan I did (at only 80+ minutes) must have been stopped prematurely by me, actually proving nothing. Also, it was quite clear, on the status screen for the custom scans, when files were being scanned and I didn't see that during the first scan attempt.

Good news is, both C and D drive scans came back with "No threats found".

So, hopefully, with those infected emails now deleted from my PC, and taking more care to completely delete doubtful emails in future, the problem will not re-appear.

However, its a bit worrying that my Outlook "Deleted Items" folder still offers me the option to recover the 1000+ items just deleted from it, so I guess that they are still stored somewhere - just hope its not still in some hidden corner of my PC!

Please let me know if there is anything else you think I should be doing. Otherwise, I'll continue to run a Defender Full Scan now and again and let you know how it goes.

Best regards, Steve

Link to post
Share on other sites
Maurice Naggar

Maurice Naggar

Posted
Posted

That is excellent, Steve.

Let's run a report to see about the update status on some tools / add-ons.

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.

  • Download SecurityCheck by glax24 from here
  • and save the tool on the desktop.
  •  
  • If Windows's     SmartScreen blocks    that with a message-window, then
  • Click on the MORE INFO spot and  click "Run Anyway"   to  over-ride that and allow it to proceed.
  • The  tool is safe.        Smartscreen is overly sensitive.
  •  
  •  
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

Link to post
Share on other sites
Stevep47

Stevep47

Posted
  • Author
Posted

Slight problem Maurice, Windows Defender wont let me download SecurityCheck via the link you give.

It blocks it as "an app that might perform unwanted actions on your device". The download information bar, at the bottom of the screen, actually states "virus detected".

Steve

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.