Trojan reappearing

marcoantonjo · September 15, 2020

For the past few days I've had a Trojan reappear twice in my laptop now.

Addition.txt FRST.txt mb scan 2.txt mb scan 3.txt mb scan.txt

marcoantonjo · September 15, 2020

(adding this because making my post too long made the system detect it as spam lol)

There's a Trojan that's been reappearing in my laptop for days now, and it made my laptop act weird
Windows defender and windows updates doesn't work
I tried using system restore points twice. For some reason my laptop wasn't accepting my password before being able to use a system restore the second time, even though I was able to log in with it when opening my laptop normally. I always did Malwarebytes scan before, but once the virus reappeared the first time, I wasn't able to simply put in my password. I had to run Hitmanpro and restart my computer with that then do the system restore. Though I'm not sure if it's Hitmanpro that did that. Well, at this point I'm not sure with anything at all 😅 Every time I do that, the symptoms of the Trojan disappears, but something that is still in my laptop is making it reappear and affect my laptop again.
My laptop still runs after turning off.
Almost all of google sites such as Google search, Drive, Gmail, etc. all load until Chrome shows "This site can’t be reached" and then suddenly load immediately right after. I thought this was just my internet or Google servers having a hitch.
Farbar recovery scan tool was prevented by my computer from running first time I ran it as it said it was harmful despite getting it from Kaspersky's site... Is that supposed to happen...?

So after all of that,

Maurice Naggar · September 15, 2020

Hi, :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along. Please do not do any changes on your own without first checking with me.
If you will be away for more than 3 consecutive days, do try to let me know ahead of time, as much as possible.

Please only just attach all report files, etc that I ask for as we go along.
Please know I help here as a volunteer. and that I am not on 24 x 7.

I will be guiding you to several scans. This is just one starter procedure.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.
The download links & the how-to-run-the tool are at this link at Microsoft
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Let me know the result of this.
The log is named MSERT.log
the log will be at %SYSTEMROOT%\debug\msert.log which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.

marcoantonjo · September 15, 2020

Hello, thank you for the reply! Just call me Marco. Here's the log of the full scan I performed.

msert.log

Maurice Naggar · September 15, 2020

Thank you for that report from the MS Safety scanner. Lets now do a special run with Malwarebytes for Windows.

On this next procedure, just before pressing the "Scan" button, I would request that you Close all web browsers.

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.
Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
You can actually click the topmost left check-box on the very top line to get ALL lines ticked ( all selected).

MB4_scan_tick_ALL.jpg.31add815042f79c225fc7d86be84fde8.jpg

MB4_scan_all_Quarantine.jpg.4f8cdab8caf8ea289ca067b2579f5de8.jpg

Then click on Quarantine selected.
Then, locate the Scan run report; export out a copy; & then attach in with your reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

marcoantonjo · September 15, 2020

Here is the scan report.

Although with the mb scan 3 report I sent in my first post, that was when I was able to delete the trojan files again recently with Malwarebytes after restarting my laptop where the files came back. Sadly, I'm sure I'm still in that cycle despite having deleted the files with Malwarebytes — all it takes is time and a restart

scan report.txt

Maurice Naggar · September 15, 2020

Thanks for the scan report. This most recent scan by Malwarebytes for Windows reports no malware. By the way, I notice that where you are it is way late at night-time.

We are going to do additional scans, with different tools.

I would suggest to download, Save, and then run Malwarebytes ADWCLEANER.
Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.
Adwcleaner detects factory Preinstalled applications too!

Please download Malwarebytes AdwCleaner https://downloads.malwarebytes.com/file/adwcleaner

Be sure to Save the file first, to your system. Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner to start it.
At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).
Then click on Dashboard button.
Click the blue button "Scan Now".

allow it a few minutes to finish the Scan. Let it remove what it finds.
NOTE: When it comes to the section "
Pre-installed applications

You can skip that.
Please find and send the Adwcleaner "C" clean report.
In Adwcleaner, click the "Reports" button. Look at the list of reports for the latest date & type "Clean".
Double Click that line & it will open in Notepad. Save the file to your system and then Attach that with your reply.

That C clean report will be the one with the most recent Date and time at folder C:\AdwCleaner\Logs
Thanks. Keep me advised.

marcoantonjo · September 16, 2020

I've had Adwcleaner for a while which couldn't find anything too. Here's the latest scan.

AdwCleaner[S05].txt

Maurice Naggar · September 16, 2020

Hello, Marco. Allright, that report result from Adwcleaner is excellent.

.

I do notice that this Windows 10 has had Avast antivirus before, although not now installed, there are indications that bits of it are laying about & some thing has Windows trying to run some part of Avast. Thus, I would encourage that you get & run the cleanup tool to cleanup what remains of Avast.

[ 1 ]

Please get, save, & then run the Avast uninstall tool

https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

[ 2 ]

I am sending a custom script to do several things to help this system. It will run the Windows System File Checker tool, and the Windows DISM tool ( Windows 10 OS check tool) , attempt to set the Windows Defender to proper active status, attempt to run a Windows Defender scan in batch mode, attempt a cleanup to get Windows Update in a better ready state, and to rebuild the Windows Winsock.

The system will be rebooted after the script has run.

.

This custom script is for Marcoantonjo only / for this machine only.

Close and save any open work files before starting this procedure.

I am sending a custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE link AS and save it directly ( as is) to the Downloads folder

The tool named FRST64 .exe tool is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.

RIGHT click on FRST64 and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run.
to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity

Please know this will do a Windows Restart. Just let it do its thing.

We will do more after this round.

Sincerely.

Fixlist.txt

marcoantonjo · September 17, 2020

Done! Here it is.

Fixlog.txt

Maurice Naggar · September 17, 2020

Hello Marco. Thanks for the log report. The Windows System File Checker app ( SFC) found some system issue & has made adjustments. The Windows system DISM tool did not find an issue. But there appears to be the condition that the Windows Update service ( WUAUSERV) is not present ( for some unknown reason.

That can be corrected by doing what follows here.

This next link listed below is to a registry file that we need for you to SAVE as is to the Desktop

RIGHT click the link with your mouse-pointer and select SAVE ...as.... & guide the folder for saving to DESKTOP ( do not double click / do not 'run' the file / nor open )

https://download.bleepingcomputer.com/win-services/win-10/wuauserv.reg

Once it is saved, then we are needing to merge the files onto the system, as follows

With you mouse, do a RIGHT-click on the file wuauserv.reg and select Merge

Let it do that & insure it finishes ok. Let me know when that has been completed. We will do more after.

marcoantonjo · September 17, 2020

Hello! I was able to successfully perform the merge. What's next?

Maurice Naggar · September 17, 2020

Ok. I am glad to hear that bit of news. Next do a Windows Restart from the Start menu.

Then, once Windows is settled back on, then I would like you to do a special run to Microsoft Windows Update.

The aim at the very least, is to get the most recent security updates. The goal at the ideal end of the spectrum, is to get this Windows 10 upgraded to the very latest Version 2004 spring 2020 update.

go to the Start menu, click the Windows Settings icon. Select Update & Security. Click on Windows Update

In that section, click on the "Check for Updates".

If you get a list of available updates at the top, then apply those Microsoft Updates.

The one I would like for you to keep a special eye for is the latest Wndows 10 version like this

W10_2004_wu_mk.jpg.ae2ba72f7605bab43d8a3184399132f5.jpg

If you see that, I highly suggest you click the spot "Download and install" and follow all the prompts. Have much patience. Keep monitoring the progress.

marcoantonjo · September 17, 2020

I had to restart my laptop twice before attempting to download the version 2004 of Windows 10 as it turns out I had another update come by. Now, I was ready to download the update but it kept having an error, and I've tried it again three more times but to no avail. What's going on here?

image.png.c4918792c0de6a8066ddd18b9a4351f3.png

Maurice Naggar · September 17, 2020

Sorry to read that. There are different reasons for Windows Update failures. Let's try the following one time only.

Try resetting Windows updates using an automatic script. See:
https://www.yourwindowsguide.com/2015/12/reset-windows-update.html

Make sure you run the script as an administrator.

marcoantonjo · September 17, 2020

Sadly, it still fails. The same error code appears.

Maurice Naggar · September 17, 2020

Would you please be very specific. Did the script-bat file WuReset2.0.bat run & finish & without any "exception message "?

I want to know exactly if that run & finished without any exception.

marcoantonjo · September 17, 2020

Sorry, I meant that the Windows Update still fails. I did not see an "exception message" after running the batch file, it said it successfully finished.

Maurice Naggar · September 17, 2020

OK. I had only wanted for that special batch-script to be run. For the time being, lets not do any manual runs to MS Windows Update.

We need to drop back, slow down a bit, and check for other things.

Question: Did you get & run the Avast uninstall tool like I suggested yesterday ?

I would also like to have the following 2 reports, please.

[ 1 ]

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/

and Save to your Desktop.
Right-Click on fss.exe and select Run As Admisnitrator.

Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are checkmarked:

Quote

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services

Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Attach the report file FSS.txt into your reply.

[ 2 ]

Please download MiniToolBox save it to your desktop and run it.

Reply YES when prompted by Windows to Allow the program to run.
Reply YES when prompted by the tool to proceed.

Checkmark the following check-boxes:

Quote

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs

Click Go and post the result ( MTB.txt ). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using Reset FF Proxy Settings option Firefox should be closed.

marcoantonjo · September 18, 2020

Hello. Yes, I have already ran the Uninstall Utility for Avast.
Here are the results of the two scans.

MTB.txt FSS.txt

Maurice Naggar · September 18, 2020

Good morning. Thanks for the reports.

The Microsoft Windows Defender service is missing and thus not running. That is one of the things we need to remedy now, hopefully thru this next custom script run.

Do some prep work first by closing any other apps you may have open, running ( that you yourself have started ).

I also need for you to delete the prior copy of Fixlist.txt on the folder Downloads.

The new one here will be used instead. The system will be rebooted after the script has run.

The main goal of this run is to put back the setting for Windows Defender as a service & to try to run one quick scan of Windows Defender.