Jump to content

Trojan's keep coming back after being quarantined and deleted


Recommended Posts

I have trojans in my AppData/Local/Microsoft folder under "ErrorReport.exe" and "XR.exe" which are bitcoin miners, every time they are quarantined they come back a few minutes after and I have tried scanning my pc multiple times, rebooting after quarantining them as Malwarebytes tells me too and running adwcleaner

Link to post
Share on other sites

Hello @jae4smn  and  :welcome:

 

My name is MKDB and I will assist you.

 

  • Please follow the steps in the given order and post back the logs as an attachment when ready. Thank you very much for your cooperation.
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
  • Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
  • As English is not my native language, please do not use slang or idoms. It may be hard for me to understand.

 

 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

  • Searching, detecting and removing malware isn't instantaneous, please be patient. Please stick with me until I give you the "all clear".
  • Only run the tools I guide you to.
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.

 

 

Step 1

  • Please download the Malwarebytes Support Tool (MBST).
  • Run MBST.
  • In the left navigation pane of MBST, click Advanced.
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine.
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply.

 

Thank you!

  • Like 1
Link to post
Share on other sites

Thank you @jae4smn.

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the following location: C:\Users\User\Downloads\
  • You will find FRST(English) there as well.

Note: It's important that both files, FRST(English) and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST(English) again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

 

fixlist.txt

Edited by MKDB
  • Like 1
Link to post
Share on other sites

Ok, now please run the following script with FRST, it should be finished very fast.

Thank you @jae4smn.

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\User\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

fixlist.txt

Link to post
Share on other sites

Thanks again!

 

It seems that discord is infected with malware. Therefore, I would ask you to run another special check with FRST (Step 1).

After that, we do a new scan with FRST (Step 2).

Does MBAM still detect malware @jae4smn?

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\User\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

Step 2

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

 

 

fixlist.txt

Link to post
Share on other sites

Thanks for the feedback @jae4smn.

First, we need to run another fix with FRST (Step 1), then we need to remove Discord as it is infected with malware.

A repair seems to be difficult.

Thanks again for your patience!

 

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\User\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

Step 2

The following software is infected with malware and must be uninstalled.

  • Go to Start > Settings > Apps.
  • Uninstall the following software:
    • Discord
  • Let the system reboot at the end.
  • If you are not able to uninstall a software component, please let me know.

 

 

Step 3

  • If you already have Malwarebytes installed, then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed or if you don't run the newest version yet, please download it from here and install it.
  • Once the MBAM dashboard opens, click on Settings (gear icon).
  • Click on Security tab and make sure that all four Scan options are enabled.
  • Close Settings and click on the Scan button on the dashboard.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT button and save the file as a Text file to your desktop.
  • If there were detections then once the quarantine has completed click on the View report button, then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run, then please skip to the next step and let me know in your next reply that the scanner would not run.

 

 

 

fixlist.txt

Edited by MKDB
Link to post
Share on other sites

Good, MBAM comes back clean.

Please let's check your system with FRST again. I want to remove discord with FRST if you are not able to remove it via system settings.

 

Step 1

  • Run FRST again.
  • Do not change any settings.
  • Press the Scan button.
  • FRST will create two logs now (FRST.txt + Addition.txt) in the same directory the tool is run.
  • Please attach these logfiles to your next reply.

 

Link to post
Share on other sites

In my first post, i wrote to you:

  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.

It seems that you don't follow my suggestions...

2022-05-17 10:36 - 2022-05-17 10:36 - 043537760 _____ (Adlice Software ) C:\Users\User\Downloads\RogueKiller_setup.exe
2022-05-17 10:35 - 2022-05-17 10:36 - 014178840 _____ (Malwarebytes Corp.) C:\Users\User\Downloads\mbar-1.10.3.1001.exe
2022-05-17 10:35 - 2022-05-17 10:35 - 005054744 _____ (AO Kaspersky Lab) C:\Users\User\Downloads\tdsskiller.exe

If you're already running programs yourself, I would at least expect you to send along the associated log files. So please keep me updated on this. 😉

 

How is the status of discord? Did you uninstall it? Did you download a new installer? If so, why?

2022-05-16 23:38 - 2022-05-17 19:19 - 000000000 ____D C:\Users\User\AppData\Local\SquirrelTemp
2022-05-16 23:33 - 2022-05-16 23:33 - 000000000 ____D C:\ProgramData\SquirrelMachineInstalls
2022-05-16 23:31 - 2022-05-16 23:32 - 082992808 _____ (Discord Inc.) C:\Users\User\Downloads\DiscordSetup.exe

 

Please uninstall discord via settings > apps like reported and do not re-install until we have finished here.

 

It's late here in Germany, I'll be back tomorrow.

Link to post
Share on other sites

Sorry I mustve skipped over that note about other programs, I apologise.

I downloaded the installer after uninstalling it but did not run the installer and it was just there in my folder, when I rebooted discord was automatically reinstalled.

Link to post
Share on other sites

1 minute ago, jae4smn said:

Sorry I mustve skipped over that note about other programs, I apologise.

I downloaded the installer after uninstalling it but did not run the installer and it was just there in my folder, when I rebooted discord was automatically reinstalled.

I apologise for an inconveniences I have made by using other programs

Link to post
Share on other sites

Thanks for your explanations!

I just want to make sure that there are no malware leftovers in discord @jae4smn. 🙂

So once more: please uninstall or try to uninstall the tool via Start > Settings > Apps and report back. Re-boot your system.

After that, run another scan of FRST like described here.

 

Based on your newest logfiles, I want to remove discord, especially those folders under %appdata%.

If malware doesn't come back, you can re-install it later when I tell you so.

Thanks again!

 

Link to post
Share on other sites

Ok, let's go @jae4smn. 😊

 

 

Step 1

  • Please download the attached fixlist.txt file and save it to the location where you ran FRST from ( C:\Users\User\Downloads\ ).

Note: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

  • Close all open programs and save your work.
  • Run FRST again.
  • Press the Fix button only once and wait. Please be patient.
  • If the tool needs a restart, please make sure you let the system restart normally and let the tool complete its run after restart.
  • FRST will create one log now (Fixlog.txt) in the same directory the tool is run.
  • Please attach this logfile to your next reply.

 

 

Step 2

The Microsoft Safety Scanner (MSS) is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

  • The download links & the how-to-run-the tool are at this link at Microsoft.
  • Please let me know the results of this scan.
  • Run a Quick Scan.
  • The log is named MSERT.log.
  • The log will be at%SYSTEMROOT%\debug\msert.log which in most cases is

C:\Windows\debug\msert.log

  • Please attach that log with your next reply.

 

 

 

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.