Trojans still popping up! (ran rootkit scan, factory reset, & tronscript)

[margiela]

Hello, basically I tried to download uTorrent, downloaded the wrong one and instantly realized when an Ad popped up on my Google, from there I tried to reset my computer but didn't select deep clean so booted into a "fake" windows that the virus set, which asked for a pin and password and email, etc which isn't ordinary for Windows to ask for or make you give. I also got an email from a fake Windows address that I boolean searched showing it was untrustworthy, this was the email address email@engage.windows.com.  I than ran "unknowing this windows wasn't real" tronscript, and two anti malware programs but things were still popping up. After that I factory reset once again and deep cleaned it, booted into a normal looking windows and than made sure my computer was clean with process explorer, at first everything was good, gave it a restart and a trojan popped up. Uninstalled OneDrive.exe where the trojan was, later that day went to Install Valorant and got two more trojans. The ones associated with Valorant being "Trojan/Generic.ASMalwS.31D86DF" detected by Antiy-AVL and then just a listing as Malicious from SecureAge APEX. I instantly uninstalled Valorant and ran tronscript again in hopes that it will find the issue but it says everything is fine. I've ran the rootkit scan from Malwarebytes with no hits either so I'm extremely worried. I have a USB drive and have seen previous forum post from years ago saying to install something onto my USB and boot into safe mode but think that is out dated by a couple years so wanted to post. I hope that is enough information any help would be greatly appreciated!

[kevinf80]

Hello margiela and welcome to Malwarebytes, Run the following scan, lets see if anything shows up: Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans"   Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin

[margiela]

Hello Kevin, due to my underlying fear I'm unsure if I email myself anything if they'll contain the virus so here is the paste bin links of FRST and Addition.

 

FRST pastebin.com/mV8fzgrB

Addition pastebin.com/SBwzGTsR

 

Thank you so much for your quick reply hopefully the information needed, popped up.

 

[Edit by AdvancedSetup - here are the logs attached @kevinf80 ]

Addition.txt

FRST.txt

Thanks @margiela

 

[kevinf80]

Hello margiela,

I do not see any obvious evidence of Malware or Infection in your log. I can see evidence of remnants of previous security programs, Eset and Kaspersky, we need to remove both or they will still interact with your system and cause problems.

Another point is your Hosts file with complex amendments to stop Windows Telemetry, there is also a block set in your Firewall. I can also see events suggesting windows updates are not working (also for Windows Defender) not sure if that issue is related to the telemetry blocking settings. 

A less complex way of blocking Telemetry can be found in the following link:

https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/

I will script a fix to correct all of those settings and remove remnants of previous security apps. We will also reset some windows settings, when that is completed I want to run an indepth AV scan of your system to make sure all is well....

Continue as follows:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from. NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied:   Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs Let me see those logs in your reply... Thank you, Kevin.

 

fixlist.txt

Edited June 3, 2021 by kevinf80
amended fixlist

[margiela]

Hello @kevinf80, here is the fixlog.txt and the texts in the C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs file location.

 

While running Sophos no issues were detected!

 

Let me know if you see anything or if there may be any issues with my computer, thank you so much again for your quick responses and help!

 

Sincerely,

 

 

Margiela

 

 

SophosVirusRemovalTool.log SophosVirusRemovalTool_cloud4.log Fixlog.txt

[kevinf80]

Hello Margiela,

Thanks for those logs, how is your PC running now, any remaining issues or concerns.....

Thank you,

Kevin..

[margiela]

No problem, @kevinf80everything is running fine currently, installed Valorant again and the same two things popped up in the RiotClientCrashHandler.exe.

These being Trojan/Generic.ASMalwS.31D86DF detected by Antiy-AVL and then just a listing as Malicious from SecureAge APEX. Confused on why they show up in a game downloaded by millions, I don't think it's normal but can't find any information on it.

Besides that it's looking good, just want to know if I should look past those two things, and what virus protection I should have for any future occurrences, (free) would be best, but priced options can be fine too. 

Again thank you so much for your hard work and help it is greatly appreciated!

[kevinf80]

Can you zip up and attach the files that were being classed as malicious...

[margiela]

Yup here you go! @kevinf80 

RiotClientCrashHandler.zip

[margiela]

(PS.) Here is the VirusTotal that pops up with this file, if you can see anything with in it, thought it would be beneficial to send. 

 

https://www.virustotal.com/gui/file/76d2ad3dfa217321475a92b2f7ddf497d69e3c8537b216f83e512e4fa91c332f/details

 

[kevinf80]

Hiya margiela,

2 out of 69 scanners at VirusTotal is not really evidence, I`ve also uploaded to Jotti, that site gives all clear. i`ve also run custom scans with Malwarebytes and Zemana, both give clean bill of health.

The security programs that flag that file on your sytem are not known to me, never even heard of them. I`d say they have to go down as false positives (FP`s)

Continue to finish up:

Uninstall the following: Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Also delete this folder if still present: C:\ProgramData\Sophos Next, Right click on FRST here: C:\Users\Caden\Downloads\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Condsider the following: Disable Remote Desktop: https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html Disable Windows Telemetry: https://helpdeskgeek.com/windows-10/how-to-disable-windows-10-telemetry/ Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge.. PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

 

[margiela]

Hey Kevin thank you for all these things to do to keep me protected.

While going through the list there was some issues. Remote Desktop isn't supported by my "Home" edition, so I'm not sure if I have to worry about disabling it, then when I try to disable telemetry it says can't find gpedit.msc. I'm not sure if this is crucial but I made sure it was typed correctly and entered into run.

I did the rest of the steps perfectly though and I thank you again for your hard work.

Again not sure if those two things are big but just giving a heads up that they didn't allow me to change / didn't work.

 

Sincerely,

 

Margiela

[kevinf80]

Hiya Margiela,

Apologies, did not realize your version of W10 is Home Edition. There are ways to add gpedit to home edition, have a look at the following link:

https://www.itechtics.com/enable-gpedit-windows-10-home/

Remote Desktop is not supported in Windows 10 Home edition, no need to worry about that one....

Regards,

Kevin..

[margiela]

With that being said, I think everything is fixed, thank you again, for all the help!

Sincerely,

 

Margiela

[kevinf80]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you