Jump to content

For BERKAN help on trojan removal


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello @Berkan     :welcome:

This topic-thread is for Berkan only.

You said that your computer has a trojan malware.  I suggest this as the first step.   There will be more to do later.  This is not a one shot fix.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

  • To save attachments   ( to upload )   please click the link labeled "Add Files". Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

Please be sure to review your reply and attachment before you press the reply button.

Link to post
Share on other sites

Hello mr Maurice. Thank you so much for your concerns. The virus made my pc almost impossible to use by using %90 ish of the cpu after restarting due to a scan. So I had to format the device. I couldnt reply during that, sorry. For now It seems to run smoothly with only some corruptions on some services. If I ever encounter these kinds of stuff again I will open a post next time, thank you. 
 

But I should ask, is there a preferred antivirus to avoid these stuff cause I scanned the .exe file I downloaded before opening with malwarebytes and it found nothing. After opening it my pc was infected. And after that I downloaded and scanned with eset but eset only seems to encounter the virus under the states of “corrupted file”, “file can’t be opened” or “file/pathway not found” and therefore didn’t detect these as viruses but rather as corruptions.

 

And my old windows isnt fully deleted as its packaged in a folder called “windows.old”. Should I be concerned about anything right now? Is there anything I should do to be sure that my system has been cleaned completely?

Link to post
Share on other sites

Thank you for the status and information.  I am unsure just how you went about "to format" this system.  While the old file "Windows.old" is not a threat by itself  ( it is not a threat) it being there sems to indicate you did a Windows upgrade-in-place.

Windows 10 comes with the free built-in Microsoft Defender antivirus.  That is normally good in most cases.  Though it can be compromised & tampered with by some trojan malwares.

As far as what is best all around as a antivirus, I would say the ESET.

Lets get a report set for reiew.

 I would like to get a report set from this machine.  This will be just a report collection.  It does not make any changes.

Please follow the tips carefully.

Please download MBST Support Tool

 

Once you start it click Advanced >>  then  Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the link marked "ADD Files". Then browse to where your file is located and select it and click the Open button.

 

_mb_attach.jpg

 

Only after you are all set plus have uploaded the ZIP file, then press the button "Submit Reply" in blue color.   Please have patience throughout this case.  Understand also I am a volunteer here.

Cheers.

Link to post
Share on other sites

Hello again Mr. Maurice. I didn't know the translation of the word "format" from my language to english so I assumed it would be the same. Basically the computers C: drive has been wiped completely. I am not sure what you mean by a "windows upgrade-in-place" but it might be true. 

I added the .zip file you asked as an attachment.

There have been small corruptions on my pc that I encountered like some system services thinking their files are supposed to be in mbst-grab-results.zipC:\WINNT\system32 instead of C:\Windows\system32 and therefore they wouldnt work unless I made a system32 folder in a WINNT folder and carried them there. Also some stuff like the xbox gaming bar are missing for some reason.

Link to post
Share on other sites

A serious note of caution.  Do NOT go about copying or moving "files" from or to or between "Winnt" & "Windows".

That is not the way to have a operating system like Windows.   Do not copy things on your own while this case is active here.

Thanks.  I will make another reply later, as I can manage.  Do keep in mind I am a volunteer doing this on personal time.

I will review the report you last sent.

Link to post
Share on other sites

As I mentioned above, do not attempt to move Windows system files.  This computer runs Windows 10.  The operating system main folder is C:\Windows.   Do not make changes on your own.

I do see that the computer has ESET Security.  I suggest you do one new scan with ESET.  After it has finished, let me know the result.

Link to post
Share on other sites

Hello. I was only just curious about the bottom line status shown by ESET.  I cannot do anything with the XML file.  Plus there is a issue of the language.

Lets do one new Windows Update "Check for Updates" run.   See Microsoft tip article https://bit.ly/3zW2EN1    In Turkish  https://bit.ly/3BN9G7k

The basic idea is to insure that the Windows operating system is all up-to-date with security updates.

Edited by Maurice Naggar
Link to post
Share on other sites

Hello. Not sure what you meant by bottom line. But It says 981588 file scanned and 0 detections. However there are yellow errors on 51 different files, mostly stating that they were "unable to open [4]" and a couple of "archive damaged"s. Windows update found 2 updates. I then visited the page you posted. It updated windows to 21H1. It took quite some time and a few times. Now what should I do?

Link to post
Share on other sites

To your last line, it is super to read that this Windows has been upgraded to build 21H1   😁  👍   😎

I cannot be sure which scanner you refer to here ?

....BUT it is normal for a security scanner to "not be able to open a file".   That can and does happen.  It does not equate to a "infection". 

Link to post
Share on other sites

I was referring to the eset scan. 

And I think the update fixed the WINNT folder issue. The msiexec.exe service now requires the .exe to be in C:\WINDOWS\system32\msiexec.exe instead of C:\WINNT\system32\msiexec.exe

But I'm still unsure about any remaining corruptions. Should I do something to check if anythings wrong? 

Link to post
Share on other sites

C:\Windows is indeed the normal (default) system directory for the Windows 10 Operating system.

[ WINNT is not typically seen on modern-day Windows 10 for consumers  ( meaning home users and single users).  Some corporations though might possibly engineer something specific].  What I suspect you recall about Winnt is from a old old Windows version from long ago, like maybe Windows 2000.

Anyhow, put that to rest.  Your Windows now is in the right place.

If you wish, you can do a different other scan to scan your machine.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

NOTE:  This scan can take several hours   ( depending on how many files are on the system & also on the speed of the hardware ).

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

Link to post
Share on other sites

Thank you for the log.  There were NO malware / NO virus found.  These are the 2 most important lines of the report.

Quote

# scanned=443862
# found=0

That confirms that there is no malware  and even no potential unwanted types.  ( no PUP / no PUA ).

.

Please download, install, update and do a Threat Scan with Malwarebytes for Windows and post back the log

https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

 

Link to post
Share on other sites

Congratulations.  The Malwartebytes for Windows report is perfect.  No malicious malware here on this machine.  This program checks for malware.

.

Lets be cautious here. We can run the Windows System File Checker tool & the Windows 10 DISM tool to do checks on this Windows 10.

We will use FRSTENGLISH.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  BERKAN  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  It will run the Windows DISM tool to check the system. 

 

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
  • Please save the (attached file named) FIXLIST.txt   to the   user Downloads  folder   

Fixlist.txt


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRSTENGLISH.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

                   click line More info information on that screen
                   and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity 

 

Link to post
Share on other sites

Ok this question feels dumb but better be safe anyways. I have a usb hub, attached to that is a wireless mouse that is attached by a usb-entry device, a usb headphone, and an usb fan. Do I remove those as well? Or do you just mean like a flash drive? 

Link to post
Share on other sites

  • Solution

Thank you.  That is a good run.

The Windows System File Checker (SFC) Windows Resource Protection found corrupt files and successfully repaired them.

Before that, we ran a scan with ESET Online scanner & Malwarebytes for Windows & ESET.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.