Jump to content

Virus/Malware keeps reinstalling despite multiple virus/malware checks


CEJV
 Share

Recommended Posts

Hi There, 

I would greatly appreciate assistance and/or advice to rid my pc of persistent malware infections. 

Specifications

Windows 10 OS

128 GB SSD

1 TB HD

16GB RAM

AMD Ryzen 3 2200U

64-bit OS, x64-based processor

Background

In late Dec 2020, my motherboard was replaced under warranty. All files were backed up to OneDrive. I completed a fresh install of the Windows 10 OS.

During late Dec 2020 & Jan 2021, I noticed high CPU usage (at times 100%), with noticeable noise from the drives/fans.

I moved my OneDrive files from my C drive (128GB SSD) to D drive (1TB HD), hoping this would decrease the stress on the pc. CPU usage was still very high, especially when I opened Google Chrome. At this time ,I had AVG free installed on the pc and ran numerous scans, which revealed nothing.

At the beginning of Feb 21, I noticed redirection of Google Chrome pages, which were not consistent between the same search parameters.

During the move between allocated OneDrive drives (which took 4 days), I had my computing folder open. It was after this move that I noticed a couple of suspicious files (e.g. ErrorTek.exe).

I downloaded MalwareBytes free and ran a scan. This revealed a number (43) of PUP’s and RogueForcedExtension, specifically in the Google Chrome folder

(e.g. C:\Users\cate1\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkekefcpfdkdjgmnbcagcdgjddfebpnn\000003.log, No Action By User, 8121, 447164, , , , , 9239B544D893393C5852CC771E24F7F2, 701A22A8DFAFFE076C31D193A2393E6D7E6A7BF0D604766DA74C7E2AA2493BD8)

The Last 2 weeks (approx. 10-02-21)

I purchased the following software.

  • MalwareBytes Premium
  • Bitdefender Total Security
  • Malwarebytes Premium
  • Malwarebytes Rootkit removal tool
  • Malwarebytes adwcleaner_8.1
  • BitDefender Total Security
  • Norton Power Eraser
  • Sophos Virus Removal Tool
  • MS Defender
  • MS Safety Scanner
  • MS Malicious Software Removal Tool
  • ESTonline scanner
  • HitmanPro (free)

I ran Malwarebytes 3/4 x until I had a clear report. Bitdefender did not reveal anything suspicious. This was performed on both the C drive and D drive and external backup drive.

From the initial Malwarebytes scan, I kept monitoring the \AppData\Local\Google\Chrome\User Data folder, and noticed that after every Malwarebytes scan/deletion, that new folders would auto-populate/reinstall in the Google Chrome folder. By this time, I was very distressed and ran and reran all of the following malware scanning/removal tools.

Depending upon when I ran these applications, I’ve had both clear and infected scans.

The malware in the Google Chrome application became simply ridiculous. I have uninstalled Google Chrome and now use MS Edge instead.

As of the 13-02-21, Norton Power Eraser will no longer run on my pc. Error message is 0x80004005,n40,26.

I thought, as of the 20-02-21 that I was clear of all malware. I am on a shared Netflix account, and the account holder has notified me that in the last 2 weeks, they have received numerous emails regarding suspicious activity on the account.

On the 25-02-21 I ran a MS Safety Scanner, and it showed the following malware (which was removed);

  • HackTool:Win32/Keygen
  • VirTool:Windows32/DefenderTamperingRestore

I have also run my Hotmail address on the site “I’m Pawned” and received confirmation that I have been compromised.

I am at the point of wiping both the C & D drive and completing a fresh install of the OS. (Alternatively, taking the pc to a professional and having it repaired.)

I am now also very paranoid, that the purchased and free anti-malware tools, may, in fact, be malicious software. Remember, I was experiencing re-directs in Google Chrome, to un-safe websites.

I have run all the of the exe. Files through VirusTotal. However, I am still concerned that my Malwarebytes Premium, is an unsafe application ( purchase of the product in Australia, came from a store in Amsterdam???)

I prepared to share reports/screen dumps of scan results, if someone can verify that they are an actual employed representative of Malwarebytes.

Currently, CPU usage is high on boot and when using browsers.

Many thanks for your help.

 

 

 

 

 

 

 

Link to post
Share on other sites

Hi There! Root Admin Staffperson,

Many thanks for responding.

I have checked the registry and cannot find the following (probably because I have already uninstalled Google Chrome and deleted all self-generating folders)

  1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  2. HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome

Nor is there any %localappdata%\Google\Chrome\User Data\Default\ info.

However, there is a duplicated Google Chrome folder sitting in my D Drive.

A scan on 25-02-21 found the following

  • HackTool:Win32/Keygen
  • VirTool:Windows32/DefenderTamperingRestore

I now using MS Edge, and still experiencing episodes of high CPU usage, while Task Manager reveals multiple processes.

Your help is greatly appreciated.

 

Link to post
Share on other sites

  • Root Admin

How long is the CPU usage high? For seconds, or Minutes?

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Hi, 

CPU usage is fluctuating. Over a space of 60 seconds, the CPU usage will be between 70-100% for approximately 30 seconds, this accompanied by the sound of the fan running very fast. It is worse when using browsers. 

I have run both the scans required. They are attached below. 

Many thanks for your help. 

 

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Please enable System Protection and create a new Restore Point.

ATTENTION: System Restore is disabled (Total:118.13 GB) (Free:64.24 GB) (54%)

 

 

Okay, let's try reducing your system resources and see if that helps.

Temporarily let's have you uninstall the following. Please go to Control Panel, Programs, Programs and Features

 

Bitdefender Total Security
Malwarebytes
Sophos Virus Removal Tool

 

Once those are uninstalled and the computer has been restarted please get me a new set of FRST logs and I'll provide you a clean up script to run for some general issues.

Windows 10 has built-in pretty good antivirus so the system will still have protection while we investigate.

 

Link to post
Share on other sites

  • Root Admin

Hello @CEJV - thank you for the logs.

 

Your Acer Care Center software is crashing. If you need this software then you may need to update it or reinstall it.

 

Application errors:
==================
Error: (03/08/2021 07:54:37 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: ACCStd.exe, version: 3.1.8003.0, time stamp: 0x5b166a4a
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00007ff7e58ae648
Faulting process id: 0x7d4
Faulting application start time: 0x01d71400bf116918
Faulting application path: C:\Program Files (x86)\Acer\Care Center\ACCStd.exe
Faulting module path: unknown
Report Id: 8c85111c-6d07-4729-9312-8409c1580e34
Faulting package full name:
Faulting package-relative application ID:

Error: (03/08/2021 07:54:37 PM) (Source: .NET Runtime) (EventID: 1026) (User: )
Description: Application: ACCStd.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.NullReferenceException
   at Acer.CareCenter.ACCStd.MainWindow.Window_Closing(System.Object, System.ComponentModel.CancelEventArgs)
   at System.Windows.Window.OnClosing(System.ComponentModel.CancelEventArgs)
   at System.Windows.Window.InternalClose(Boolean, Boolean)
   at System.Windows.Application.DoShutdown()
   at System.Windows.Application.ShutdownImpl()
   at System.Windows.Application.ShutdownCallback(System.Object)
   at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
   at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
   at System.Windows.Threading.DispatcherOperation.InvokeImpl()
   at System.Threading.ExecutionContext.RunInternal(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object, Boolean)
   at System.Threading.ExecutionContext.Run(System.Threading.ExecutionContext, System.Threading.ContextCallback, System.Object)
   at MS.Internal.CulturePreservingExecutionContext.Run(MS.Internal.CulturePreservingExecutionContext, System.Threading.ContextCallback, System.Object)
   at System.Windows.Threading.DispatcherOperation.Invoke()
   at System.Windows.Threading.Dispatcher.ProcessQueue()
   at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
   at MS.Win32.HwndWrapper.WndProc(IntPtr, Int32, IntPtr, IntPtr, Boolean ByRef)
   at MS.Win32.HwndSubclass.DispatcherCallbackOperation(System.Object)
   at System.Windows.Threading.ExceptionWrapper.InternalRealCall(System.Delegate, System.Object, Int32)
   at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(System.Object, System.Delegate, System.Object, Int32, System.Delegate)
   at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(System.Windows.Threading.DispatcherPriority, System.TimeSpan, System.Delegate, System.Object, Int32)
   at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr, Int32, IntPtr, IntPtr)
   at MS.Win32.UnsafeNativeMethods.DispatchMessage(System.Windows.Interop.MSG ByRef)
   at System.Windows.Threading.Dispatcher.PushFrameImpl(System.Windows.Threading.DispatcherFrame)
   at System.Windows.Application.RunDispatcher(System.Object)
   at System.Windows.Application.RunInternal(System.Windows.Window)
   at ACCStd.App.Main()

 

 

 

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

  • 2 weeks later...

Hi, 

I undertook the fix you recommended, however, even with  task manager being the only application running, I still have CPU usage between 80-99%. 

I received an email from Facebook confirming someone logging into my account from NY, USA, when I live in Brisbane Australia, which supports my initial actions, that someone had hacked my computer.

I have decided that I am going to back up, wipe and reinstall everything, then change all passwords, as I cannot afford someone to be continually hacking into my system. 

Many thanks for all your help. 

Catherine

 

Link to post
Share on other sites

  • Root Admin

Understood, and good choice @CEJV

 

Here are my recommendations

Use an external USB drive to backup all your personal data.
Visit the support page from the manufacturer of your computer and download the latest drivers for your system and store them in a new folder on the external USB drive
 

Review the following pages for information and suggestions on backing up your data or imaging the current drive as well

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software


Macrium Reflect discussion

 

I would also delete the partition and allow Windows 10 to create a new partition to install to

 

Below are links to ways to install Windows 10 again. Most are very similar but some do have differences in case you wish to review them.

One NOTE I would make is that for Windows 10 Home installation you need to disable the network in order to make a LOCAL account.
The choice is yours but personally, I do not like being forced to use a CLOUD account for my computer regardless of the claimed values it provides.
See below if that may be an issue for you as well

 

Greg Carmack - MVP 2010-2020 -Clean Install Windows 10
https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/clean-install-windows-10/1c426bdf-79b1-4d42-be93-17378d93e587

How to Create a Local Account While Setting Up Windows 10
https://www.howtogeek.com/442792/how-to-create-a-local-account-while-setting-up-windows-10/

How to set up Windows 10 with a local account
https://www.windowscentral.com/how-set-windows-10-local-account

How to Clean Install Windows 10
https://www.tenforums.com/tutorials/1950-clean-install-windows-10-a.html

How to do a Clean Install of Windows 10 the Easy Way
https://www.howtogeek.com/224342/how-to-clean-install-windows-10/

How to do a clean installation of Windows 10
https://www.windowscentral.com/how-do-clean-installation-windows-10

How to install Windows 10 from DVD, USB, or ISO file
https://www.digitalcitizen.life/how-install-windows-10/

How to Custom Install Windows 10
https://www.tenforums.com/tutorials/120352-custom-install-windows-10-a.html

 

Once the computer is set up and running, please bookmark and review the following recommendations on keeping your computer safe and protecting your privacy.

 

 

If there is anything else I can assist you with please let me know

Good luck and take care. Hope you have a great weekend as well

Cheers

 

 

Link to post
Share on other sites

  • 3 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.