HELP! Virus keeps making EXE file's in TEMP.

[MelkiG]

To whom may help:

I have a really bad virus installed that i cannot get rid of, everytime i end the process in task manager and i go in temp and delete all the file's within a few seconds latter it comes back in the same location and is active again in my processes, ive even tried deleting the whole temp folder, which again just makes a new folder and re installs the exe files inside. it wont even let me install a fresh windows 11 version which ive tried not even when i took it to the computer store the store wasnt able to remove it. 

 

openining up task mananger it's showing as app "WindowsFormsApp1" and right clicking to go to file location goes to "AppData > Local > Temp and inside temp is hundreads of created folders ending in .tmp as well as other weird tmp files and inside these tmp. folders are .exe files called "tagline" this virus constantly creates pops of 'tagline' and another called 'fondue' it has recently also started to play bckground music out of no where, as well as that it has giving me limited access to my system.

 

ive tried to follow other guides from here which suguested to install malwarebytes and malwarebytes cleaner and didnt work, ive tried youtube videos where it suggested to do a tronscript and after 4 hours still nothing.

 

please im at my witts end with this.

[Maurice Naggar]

Hello.      

My name is Maurice.  I will guide you.  Let me know what name you prefer to go by. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

 

The first thing I need is to get a set of  these reports & logs.

 

That is the first step.  I will then review and use that to guide us along.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

 [   2    ]

I would like a report set for review.   This is a report only.

Please download MALWAREBYRES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

• Please attach  mbst-grab-results.zip    to your reply , like displayed here.

To send  ( upload)   attachments please click the "ADD Files"  link . Then browse to where your file is located and select it and click the Open button.

 

 

The set of data from the report will provide much needed information.

Please always attach reports as we go along. 

There will be lots more to do after this. Stick with me.

[MelkiG]

Hi Maurice, thank you for your reply. Ive seen other threads with your replies usually helping out other members so im glad to have you to help potienally remove this virus.

Here is the requested ZIP.mbst-grab-results.zip

 

Ill be replying as quick as possible to you (this virus has killed my life i really need it gone) 

[Maurice Naggar]

Thanks for the report. As the next step

This next tool ought to take something in the range of 15 - 25 minutes tops, depending on hardware speed.
get & run the Malwarebytes MBAR anti-rootkit tool to do 1 run with it.
Disregard the title subject of the topic.Run the MBAR tool as listed here 

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes

• when done, I need the MBAR logs.
• Upon completion of the scan or after the reboot, two files named mbar-log.txt and system-log.txt will be created.
• Both files can be found in the extracted MBAR folder on your Desktop.
• Please attach both files in your next reply.

[MelkiG]

herembar-log-2022-03-23 (12-33-01).txt are the requesystem-log.txtsted files 

[Maurice Naggar]

MBAR only found and removed KMSAutoS.  Would you happen to know how it got there on this pc?

I hate to have to let you know, but one must. This pc has a very huge number of malwares. What would appear to be a slew of persistent trojans.

You said this machine had been to a repair shop. Due to the huge amount of trojans, I am not sure that all of them can be found and removed. The future safety of your indentity and info cannot be guaranteed. Stop for a while and consider to do a complete wipe / and rebuild of Windows & then the application programs.

I do not know how much personal stuff ( meaning personal documents & files ) you now have.  Backup them up to offline storage media.

Let me know if you opt to wipe & redo the system over. Doing that is the safest for the long term. I can provide the tips to do that.

Edited March 23, 2022 by Maurice Naggar

[MelkiG]

not to sure how it got there but i have removed it and the virus is still there.

Yes i have all my personal details basically my whole life on this laptop i use it for my business which has allot of personal files. 

I Have tried re installing windows 11 but continually fail im not sure if this is the virus fault. 

 

Can you immediately let me know what to do as im quite worried from your response

[Maurice Naggar]

There are a couple of ways to set this Windows 11 back to being what we may call, a fresh slate.  If that is what you decide.

You would want to first offload , that is, make backup copies of all your documents to say a large USB flash drive.

Then I can give you tips on how to do a Reset of Windows 11 with the selection to NOT keep any files or apps.

The other possibility, but without any guaranties, is I can guide you on a series of runs and attempted fixes to get rid  ( if we can) of the many trojans on this box.

I need your decision.  You do not need to rush to answer. Just do not do any banking, shopping, web surfing or playing games on this machine.

[Maurice Naggar]

Hello. 

Take these actions so that Windows 11 is set to show all hidden files and folders.
Open File Explorer from the taskbar.

Select View > Show > Hidden items.

If we are to attempt to begin a series of procedures to attempt to get rid of malware, I need for you to save a new copy of FRST64.exe to the Downloads folder. Be very sure it is saved.

you can simply download & save a new copy of the tool FRST64.exe from this link

[Maurice Naggar]

I counted some 13 scheduled tasks, plus not sure how many rogue EXE files are the big part of the malwares. If you want to try to clean them out, then this is only the start.

There is no single-run / single procedure to attempt to do a cleanup of all that has infected this machine. Which is several very serious persistent Trojans. There is NO guarantee about future security of this machine.

Next, a custom script to do  checks & some  cleanups.

We will use FRST64.exe  on the Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  MelkiG  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will rebuild the Winsock.  

NOTE-2: As part of run it will attempt to remove any leftover booger tasks set by the trojans. It will attempt to do 2 scans with Microsoft Defender antivirus.

NOTE-3: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt             <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads   folder.

RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.  This here is not a one-shot-cure-all.  There will be more to do later.  

Edited March 23, 2022 by Maurice Naggar

[Maurice Naggar]

Good afternoon / Good day. I have not heard back from you. If you are still using this system but have not done my last procedure ( as above ), then I would suggest that you go ahead and do that.

[Maurice Naggar]

 Hello. I understand from you that you have done a new install of Windows. Below are safety tips. I am marking the case for closure. 

Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

SAFETY TIPS:

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Only using the Standard-access-level user account when surfing and downloading / installing would have been a tremendous way to prevent the infections of this machine.

Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"  

Stay safe.

[Maurice Naggar]

Since this issue is resolved the topic will now be closed to prevent others from posting here.

If you need assistance please start your own new topic and someone will be happy to assist you.

Thanks