Jump to content

PC infected by Trojan:Win32/Casdet!rfn


Go to solution Solved by Maurice Naggar,

Recommended Posts

I have tried eset online scan, Malwarebytes scan, Microsoft Security Scanner as well. but Windows Defender still says that the above malware is detected. I can't seem to remove this virus. This got infected when my son installed some app related to roblox. Ever since this happened, my gpu driver tends to get an error as well (but it usually fixes itself but its annoying as the HDMI sound gets disabled for a while) I need help, i can't reformat the drive because i have no external storage to backup the important work-related files.

image.png.1d24f0da1a4147a4c92c5347bfe5a3ac.png

Link to post
Share on other sites

Hello :welcome:    @Fantina

Please let me know what name you prefer to go by.

My name is Maurice.   I will guide you.

>

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

>

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

  • Like 1
Link to post
Share on other sites

Looking at the section of system event logs that record Microsoft Defender Antivirus events, U do notice that it has flagged several trojans on this machine.
What sort of things has been downloaded today, the day before, or past week or recently  as to
Excuse letter
Spectre 2015 1080p BluRay x264 DTS-JYK
dirk rablaks.rar
KRNLWRD.rar
Sid Meiers Civilization Beyond Earth

Where were they obtained ?  any sort of dogy site ?
I am very concerned because Microsoft Defender antivirus has identified several trojans.
 

  • Like 1
Link to post
Share on other sites

Hello Maurice.

I'm not sure if my decision to run the Offline Scan of windows defender fixed it. I am attaching the MSERT Log here, and as you can see on the first scan (Nov 20 scan) There are multiple detections. 

These are what i did by the way from the time of the detection.

1. I ran Windows Defender (still detecting the trojan)
2. I ran Malwarebytes (Detected some and deleted some but there are items flagged as not removed completely)
3. I ran MSERT (Nov 20 log)
4. I ran eset online scan (still detecting the Trojan)
5. Posted here in the forum, and done the FRST
6. While waiting, I ran Windows Defender Offline Scan (because i saw that this helps because it kind of boots the pc in safe mode then eprforms the scan and removal)
7. <This is the time i saw your reply and did the 2nd MSERT, i aborted it because i havent done the show all folders step. then ran it again>
8. Right now there are no detections. And as attached are the logs.

I believe the stuff you mentioned are downloaded by my son Dirk, he plays those games (Roblox and Civilization)

msert.log

Link to post
Share on other sites

Thank you.  This last run of MSERT is extremely helpful.  In that, it did find and remove several threats.

By the way, at some point later, I would urge a discussion with your son about being much more cautious as to any downloading, any online games, only to go to known safe venues.

There is more cleanup and scanning to do just to insure there is no further threats.  Please do not run other tools on your own.

Here below I have prepared a custom fix script just for this particular machine. The goal is to attempt to do fixes & to hopefully check for remaining threats.

Hopefully this will not exceed one hour of run time.

Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.

[    1    ]

As a next basic step, Please  make very very sure to  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRST64.exe  on Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  FANTINA  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.   It will also rebuild the Winsock. It will clear the cache files for Chrome & for Edge. It will attempt to look for the "dpeditor" that has been flagged & if found will remove it.

NOTE-2:  It will attempt to run batch mode scans with Microsoft Defender on the sub-folder(s) AppData\roaming +  AppData\Local + Downloads + a Quick scan.   Hopefully they will run & hopefully all in under 60 minutes 

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to your  Downloads  folder.

Fixlist.txt


Start the Windows Explorer and then, to the Downloads folder


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it run and finish

  • Like 1
Link to post
Share on other sites

  • Solution
Is there anyway i can restrict him from downloading files without creating a new user?

The thing is more than just downloading.  It is the act of going thru and installing questionable apps as well .....before first Scanning all with the Antivirus before they are opened , before they are installed.  It may help to simply just downgrade his user-account to one of "Standard" user if you have him now as a "administrator" level account.

See https://www.windowscentral.com/how-change-user-account-type-windows-10#

>

And to beef-up your web browsers, if they do not each have the free Malwarebytes Browser Guard.

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard


Note: If your pc has Windows 10 EDGE browser, or Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).
>

Thanks for the log report.   The Windows System File Checker did correct some issues with some system files.

 would highly suggest that you do this next scan.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.     There will be more to do later.

Edited by Maurice Naggar
  • Like 1
Link to post
Share on other sites

Hello.

Do take care to rest up.  Thanks for the ESET scan report, which is perfectly good.  It reports no virus / no malware.

Go ahead and delete the download file named 

esetonlinescanner.exe

Do let me know, How is the system now as regards the Microsoft Defender antivirus ?

  • Like 1
Link to post
Share on other sites

One other action:  Malwarebytes for Windows  can detect and remove most malware with no further actions required for free.
Since it does not appear that this machine has it, go and install Malwarebytes for Windows.
See https://support.malwarebytes.com/hc/en-us/articles/360038479134-Download-and-install-Malwarebytes-for-Windows

After the setup has completed, run a Threat Scan, open Malwarebytes for Windows and click the blue  Scan button.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

 

  • Like 1
Link to post
Share on other sites

Hello.

Good to know about Microsoft Defender.  As to the Malwarebytes for Windows scan, I take it that you trust the file "LDPLAYER_ENS_2091_LD.EXE".

PUP.Optional.DotSetupIo.BundleInstaller is Malwarebytes’ detection name for a bundler that install a video-player but also offer additional installs.
Here is more about what Malwarebytes research team reports about it.
https://blog.malwarebytes.com/detections/pup-optional-dotsetupio-bundleinstaller/

I would simply suggest much caution.

>

Now then, since you report that Microsoft Defender's last status is good, and, the scan with ESET was good, I believe we could wrap up this case.

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete msert.exe
Delete esetonlinescanner.exe
Any other download file I had you download, you may delete.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

Edited by Maurice Naggar
Link to post
Share on other sites

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard


Note: If your pc has Windows 10 EDGE browser, or Opera or Brave or Vivaldi browser, you can install the Chrome version of the Malwarebytes Browser Guard ( on each as appropriate).
>

Have the Premium Malwarebytes so that your system has full protections in real-time. I believe ther is currently a Black Friday sale https://www.malwarebytes.com/premium

>

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.


Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

>

I am marking this case for closure.
I wish you all the best. Stay safe.
Sincerely.

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.