Jump to content

Windows Defender finds Trojan but Malwarebytes does not


Recommended Posts

Good afternoon,

I've decided to post here since I can't seem to find anything online that can help me out with this.

 

Windows Defender seems to constantly find the following threat, even though I always quarantine/delete it. Along with this, I get pop-ups saying RegSvc.exe (or RegAsm.exe) failed to run. Windows Defender seemingly find the virus/malware, but doesn't appear to fully delete it. Malwarebytes doesn't pick it up at all:

Backdoor:MSIL/Orcus.A!bit

found in:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

 

Any help would be greatly appreciated!

 

Thank you,

Ben

Link to post
Share on other sites
Hello benrosemberg and welcome to malwarebytes....

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites
Helo benrosemberg,

Thanks for those logs, run the following please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

FRST will also create a zip file where FRST is running from, attach that to your reply..

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites
 
Hiya Ben,

As I expected the file flagged by Windpws Defender has checked as safe by VirusTotal, as did the other file. Both files are known Windows files and both are in the default folder. I`m not really sure why Windows Defender flags RegSvcs.exe but may explain why Malwarebytes does not.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

I`ve checked the dump files, none were related to the current problem. Two were associated to USB Hub devices crashes occured 22nd and 26th of May, the one related to Malwarebytes occured 25th April..

Lets run SFC scan and see if the problem files are actually corrupt and need to be replaced...

Open an elevated command prompt:

At the Command prompt, type or copy/paste

SFC /SCANNOW

hit the Enter key

Wait for the scan to finish - make a note of any error messages - and then reboot.

Copy the CBS.log file created (C:\Windows\Logs\CBS\CBS.log) to your desktop (you can't manipulate it directly) and then compress the copy and upload the zip file to your reply.

Thank you,

Kevin..

 

Edited by kevinf80
typing error
Link to post
Share on other sites

Thanks again Kevin - attached is zip file as requested. The scan didn't yield specific errors, just "Windows Resource Protection found corrupt files and successfully repaired them...."

I also should note that I got those pop-ups again ("application unable to start" related to RegSvc and RegAsm) when I first launched command prompt as administrator.

Thank you,

Ben

CBS.zip

Link to post
Share on other sites

Hiya Ben,

Thanks for that update and log. Open another elevated command prompt:

At the prompt type or copy/paste :- DISM /Online /Cleanup-Image /RestoreHealth then hit the enter key.

This option can take an extended time to run, it also may seem stuck at certain times when affecting a repair. Please be patient and allow the tool time to finish.

If a repair is not possible it will report that outcome..

What results do you get..?

Thanks,
 
Kevin..
Link to post
Share on other sites

Hey Kevin,

 

Just came back home where I had left it running. Report was as follows:

 

C:\Windows\system32> DISM /Online /Cleanup-Image /RestoreHealth

Deployment Image Servicing and Management tool
Version: 10.0.18362.900

Image Version: 10.0.18363.900

[==========================100.0%==========================] The restore operation completed successfully.
The operation completed successfully.

 

Does this mean in theory I should be all good? No more popups for RegAsm & RegSvc and Windows Defender will no longer report backdoor virus?

 

Thanks again!

Ben

Link to post
Share on other sites

Hiya Ben,

I do not believe your system was actually infected, it is a strong possiblity the file in question was corrupt or its signature was misaligned. As the alerts no longer happen it would suggest that DISM command has made a fix.

DISM /Online /Cleanup-Image /RestoreHealth command runs a scan for corruption against system files and will repair any issues that it finds automatically. ... If the scan does find corruption, it attempts to fix the issue using Windows Update by default if required. If DISM cannot make the fix (it can happen) then a system "Refresh" or even "Reset" may be the only routes left.

Regsvcs.exe - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool

RegAsm.exe - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool

Continue to clean up:

Right click on FRST here: C:\Users\benro\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

Thanks so much Kevin. I ran all of those steps as instructed, and rebooted. On launch I'm still getting pop-up as attached (Startup popup.JPG), and while a virus scan with Windows Security didn't show any threats, the protection history does show an app being blocked and a threat quarantined just a few minutes prior to having started the scan (Capture1.JPG and Capture 2.JPG). Then, just as I was typing this, I received another threat notice (Capture 3). Malwarebytes didn't flag anything when I ran the same folder through it. Windows blocked the threat, so all appears ok. I'm starting to think maybe Windows Security is giving me false positives?

Capture1.JPG

Capture2.JPG

Capture3.JPG

Startup popup.JPG

Link to post
Share on other sites

Hiya Ben,

Thanks for the update and images, this is an odd one fore sure. However, the alert seems to indicate that RegSvcs.exe is an affected item, does that mean that file is being manipulated by something else..??

amsi: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

There is an image showing "Threat found" and "Action needeed" What exactly is the software being flagged, legit or patched...

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

Regsvcs.exe

Click Search Files button and post the log (Search.txt) it makes to your reply...
 
Thank you,
 
Kevin
Link to post
Share on other sites

Hey again Kevin,

I initially suspected the RevSvcs.exe file may be in fact manipulated by something else, but the fact that only Windows Security flags it (while Virus Total and other such services do not) made me question this.

That is from patched software, which I don't even need or use any longer and could simply delete. However, it appears Windows already took care of the issue, as the file in the question is no longer in the folder mentioned.

Please see attached log as requested.

Thank you,

Ben

 

 

 

Search.txt

Link to post
Share on other sites

Hiya Ben,

I assume Windows Defender is still flagging RegSvcs.exe, if that is true run the following please:

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

Thank you,

Kevin...

Link to post
Share on other sites

Hiya Ben,

 
user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

Thanks,

Kevin

Link to post
Share on other sites

Hiya Ben,

I have no preference over compressing tools, those you post are ok by me... Have a look at the capture image from autoruns, do any of the entries mean anything to you. All have been flagged as malicious by VirusTotal. All entries are in the "Startup" folder, meaning they run when your PC boots up..

Thanks,

Kevin

Ben.JPG

Link to post
Share on other sites

Hey Kevin,

Kontakt and Steam both mean something, but the rest don't mean anything to me.

- Kontakt is a VST plugin for synth and other such MIDI-input driven instruments. Version is patched but I could delete if needed. Definitely wouldn't need an update on it ever, though (due to patched nature), so "Kontakt_update" is basically useless.

- Steam is the gaming platform. But I'm not sure what "steam_api" is. I had seen some pop-ups in reference to this before, but I dismissed it as false positives after installing Steam. Could also delete if needed but I do game on it here and there.

Thank you!

Ben

Link to post
Share on other sites

Hiya Ben

All of the entries showing in the image are running at boot from the startup folder, each one has numerous hits at VirusTotal meaning they are definitely malicious. I need to look into this in more detail and get back to you.

Something on your system is trying to manipulate RegSvcs.exe, the entries in question are running at boot and do not really need to.. Get back you later..

Thank you,

Kevin

Link to post
Share on other sites

Hello Ben,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

FRST fix will force a reboot, let me know if any improvement..

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Hiya Ben,

Thanks for the logs and update. Another thread I was working, very similar to yours with suspect startup folder entries has also comeback good after similar removals....

Before we cleanup can you zipup and attach this folder: C:\FRST\Quarantine

Next,

Run the cleanup procedure as listed in #reply10. Specifically clear all restore point and create a fresh clean restore point....

It has been a pleasure to work with you.....

Regards,

Kevin..

Edited by kevinf80
typing error
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.