Help in removing Malware even after clean install of windows 10

[NANDANR]

Hello, community members

Recently I came across malware that started using my browser to hijack my Instagram (Even Facebook as it was linked) and my google account. It took me weeks to realize what was going on, by then  both the above-mentioned accounts were locked and after a week of staying in contact with the support team of the respective account, they restored my account after confirming it was a hijack (that was the time I got to know about malware on my laptop)

My Kaspersky antivirus detected 7 of them and deleted them (not disinfect), later I got doubt again due to high CPU usage on my laptop. so I installed malware bytes to see if there is more hogging around. After a full scan, I came up with 4 more of them.

So I canceled the scan out of frustration and decided to wipe out my SSD and HDD to perform a clean install of windows 10. but after finishing installing, the malware bytes (trial version) and Anti malware Service Executable (Windows defender) even after disabling periodically scanning, both of them are together slowing down my laptop again. boot time which use to be 2.2 sec is now 4-5 sec and now today after running the "Microsoft Support Emergency response tool" I found 63 infected files. I honestly don't what to do next.

While browsing through malware bytes forms for help, found out they were being asked about Farbar recover scan tool and adwcleaner files, so I decided to run them and I have included them in this post. I have also attached a report of 13 hrs scanning of malware bytes antivirus. hope it will help u understand.

Adwcleaner found 10 items but those are from Lenovo but don't know what they are.

no virus was found by malware bytes after reinstall. I will scan again if I am instructed.

*** (I have also included a screenshot of scan pictures when my laptop was hijacked as Old Pic 1,2,3&4)

 

Thanks for reading and please help me out.

 

FRST.txt Addition.txt

[AdvancedSetup]

Hello  and        @NANDANR

 

My screen name is AdvancedSetup and I will assist you with your system issues.

 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow all steps in the provided order and post back all requested logs
• Please attach all log files to your post, unless otherwise requested
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
• Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
• Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
• If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To address speed issues. When you first installed Windows you had NO applications installed. Today you have 90 items listed as installed (many are multiple elements of the same program) but every application you install has at least a small performance hit.

You're running the Everything search program (which is a nice tool that I also use) but it has a big hit on the disk too. So, having slower load times after installing other applications is very much normal and not a sign of an infection.

 

You have Java(TM) SE Development Kit 11.0.16 (64-bit)  installed. Do you do Java programming?
 

I'm not saying the Iridium Browser is bad, but it does not have as big of a team backing it to fix bugs and have bugs reported that Google, MS Edge, and probably Brave have. They all use the same basic Chromium browser and make their own modifications to it. Point being that for real security if you're going to use a Chromium based browser it's probably better to go with Brave or MS Edge who has a larger team looking after it and it's security.

 

 

Please restart the computer one more time. Then run a new scan with both Kaspersky and Malwarebytes and let me know if either one finds anything NEW.

 

Thanks

 

 

 

[NANDANR]

Hello, thanks for your reply

I ran a Full system scan in malware bytes and Kaspersky, and no Malware was detected.

But In Kaspersky's log file, it says "MiniTool Partition Wizard 12\7z.exe    Detected and Audacity    Not processed    Object not processed        File not found    File" Please look into it.

I have attached the log file and results to this post

 

1:

I reinstalled my laptop on 03/09/2022 so it is the fresh install

Edition    Windows 10 Home Single Language
Version    21H2
Installed on    ‎9/‎3/‎2022
OS build    19044.1949
Experience    Windows Feature Experience Pack 120.2212.4180.0

I had to continue some work which is why I immediately installed applications. But I am confused about how I have 90 programs on my laptop
I have mentioned and explained the programs I use at the end of this post, if you find anything suspicious I will uninstall that.

The only reason I think I have malware on my device after re-install is because

- High CPU task from both windows defender and malware bytes (refer to the screenshot)
- Microsoft Support Emergency response tool detected infected files and something called VirTool:Win32/DefenderTamperingRestore

I forgot to mention that, in the notification section of malware bytes I had got RTP detection after reinstalling windows 10. from qbittorrent (I was using it to download raspberry pi iso image) and softether VPN (refer to the screenshot)

Before I was infected by malware and even though I installed all the programs mentioned above

BIOS time was 2.2 seconds and was fast at startup
Now with the same programs, it is 4-5 seconds and if I open taskbar manager  there is a high CPU task from both windows defender and malware bytes

can you tell me about the result from adwcleaner, it found 10 items

2:

the last time I remember "Everything" was using more system resources was when I indexed my USB drive to search files in my pen drive as I store college files, notes, and documents
Open everything > Tools > Options > under Indexes > folder > add the path of my USB drive

I agree with you that it takes system resources. but for me, this was the last time it ran consuming heavy resources

 

3:

I am learning java didn't install the IDE yet, same for python also
I am using online compiles for now as am waiting for my laptop to get rid of malware

 

4:

iridium (thanks for letting me know, I only used it since it took less memory usage) do u recommend brave or edge?

tell me if I can uninstall the following programs
Clementine, TechPowerUp GPU-Z, Simple Shutdown Timer, Spotify
 

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

*** Please read till end ***

 

below are the programs i use

Amazon Kindle and calibre (for reading ebooks)
Belarc Advisor( i disable windows 10 updates and use this software to manually install security updates only)
Bitwarden (password manager)
dopamine( default music player)
CrystalDiskInfo 8.17.6 (my hard drive's (HDD) heath is failing so i use this to track the sector count)

Dashboard for checking SSD's health
Everything (for searching files)
filezilla and NitroShare for transfering files
Grammarly and word, excel (i use togethor for writing and preparing reports)
Lenovo has 3 programs and all are important for get updates for manufactuer (i regulaly get BIOS updates so)

MediaHuman (Audio converter)
MEGAsync (Cloud storage)
Picasa 3 (default image viewer) it lightweight and fast so i use it
NetSpeedMonitor (i use meterded connection so i need this program)
PowerToys (i use only fancy zones for multitasking)

SumatraPDF (default pdf viewer)
TagScanner (tag my local mp3 music)
TeamViewer (for remote access from my mobile when i am out or away because i need to access something when i can't carry laptop outside)
WinDirStat (for checking disk-usage)
VLC (Default video player)

WinRAR (general use)
Zoom (general use)
Skype (general use)
Break Taker (general use)
eye defender (general use)
some Microsoft apps like one-note, office etc

i recently started using different browsers for safety (i don't interchange the use)
Chrome (college work only), Librewolf (surfing web, read articles and news websites), firefox (personal use)

I am actually learning java  didn't install the IDE yet, same for python also
i use SD Card Formatter, Win32DiskImager or rufus and MiniTool Partition Wizard for managing ISO for my raspberry pi 3b+ and 4 (SD card)
Notepad++ for practicing code and open source code sent from my teachers

*** Let me know if there are other applications i need to remove because this are the programs i installed from my knowledge

 

Thanks

 

 

 

 

 

 

Kaspersky full scan report.txt malwarebytea Full Scan report 10-09-22.txt

[AdvancedSetup]

The entry from Microsoft is normal. I don't recall the exact build but Microsoft added an anti-tamper setting a couple builds back I think.
Many things may have caused this setting to be disabled including antivirus software I'm sure. The Microsoft Safety Scanner just makes sure it's set, which is a good thing.
VirTool:Win32/DefenderTamperingRestore

I see no reason not to uninstall these
Clementine, TechPowerUp GPU-Z, Simple Shutdown Timer, Spotif

I am not fan of the Chromium based browsers myself. I prefer Mozilla Firefox, but sadly it has a lot of programmers that appear to work for Google as every update of Firefox it starts to look and feel more and more like Google Chrome.
I use the three main browsers, but for different things. I use Google Chrome for YouTube only and no other browsers. Helps to reduce some level of their massive tracking, but impossible to stop all of it.
I use Firefox as my main browser. I use MS Edge for a few websites from work that do not support Firefox. If you're using Firefox make sure you use the Multi Account Containers for different websites that you use often. It keeps them isolated from each other.

Using P2P for valid reasons is okay but if possible other tools like Curl or Wget would be better if they support what you're trying to download.

For starting out with programming perhaps look into either one of the virtual systems. Hyper-V, VMware Player or Workstation, Oracle Virtualbox, etc. That allows you to run almost anything you want without too much fear of damaging your main installation of Windows. You can also use SnapShots for some of them which is fantastic as it allows you to fully damage the installation of Windows and within seconds restore it back as though nothing ever happened.

 

Belarc Advisor( i disable windows 10 updates and use this software to manually install security updates only)
Playing this game you will sooner or later probably be back here with an infected computer or fixing it on your own.
It's your choice and yes Microsoft can sometimes break things but delaying an update until you research it is better than trying to think you're staying on top of things. Sooner or later things always come up and we forget. Then some new exploit comes in and takes over your system and you're back to square one.

 

I've been doing computer support for a little over 30 years now. I have lost a handful of drives in that time, but keeping a program to track the drive to me is overkill. If you have to track like that then you might want to consider buying better hardware.

Nothing wrong with having software installed. Don't get me wrong. My point about having 90 programs installed was from you saying Windows was just installed. It was not just installed, it was months ago now I take it? All good, really.

If you're transferring files via Filezilla make sure you're using a secure protocol and not just FTP which sends passwords in clear text

For audio I was impressed with this program years ago (I don't really do much music anymore)
https://www.dbpoweramp.com/

TeamViewer is an excellent program, just make sure you have an extremely strong password on it.

Zoom has a lot of updates, make sure you keep it updated often

 

The usage for the Malwarebytes service is not normal. Was this a capture on a fresh start up of Windows? I see you're at 95% of CPU in use which would typically on happen at initial startup as all the programs start and settle in.

Here is a screenshot from my image. I just restarted the computer a couple hours ago so I don't have all the other apps and browsers running that I'd normally have running on a work day, but you can see that Malwarebytes is not using hardly any resources.

 

 

If you open an Admin level command prompt you can use WINGET to check for and update most if not all of your current versions of software.

You can LIST the programs and update just a single one or all of them at once

winget list

 

winget upgrade --all

 

Please get me a new, fresh set of logs from the Farbar program.

FRST.TXT
ADDITION.TXT

 

Are you using Kaspersky as an installed antivirus or you were just using it for a one time scan?

 

 

[AdvancedSetup]

If you really want to monitor what is running on your system then upgrading to the Pro version of Windows and using policies, auditing, and sysmon would help you to see and know much more about what is running on your system at any given time.

Compare Windows 10 editions
https://www.microsoft.com/en-us/windowsforbusiness/compare

Windows 10 Pro also has GPEDIT for Group Policies that the Home version does not have.
You can currently use your Windows 10 license to upgrade to Windows 11 if you choose to Home or Pro

 

The cost to upgrade to the Pro version is about $100 though so it's not cheap.

 

 

 

[NANDANR]

Thanks for your reply

I have attached the frst.txt and addition.txt

Reply to your questions

1:

I was using Kaspersky as the default antivirus but when it couldn't detect all the malware I had to reinstall Malwarebytes
(it was on the free version, to get the premium trail version I did that) and when I realized  more malware was on my laptop that Kaspersky couldn't find
I reinstalled Windows 10 on my laptop

I even had an RTP Detection after reinstall on 3/09/22 and 4/09/22 so I uninstalled qbittorrent and soft ether VPN but want to use them but not sure what to do and Adwcleaner detected the 10, all are programs of Lenovo (i had reported this in my early post, I can share the log file )

 (waiting for your reply on the two above)

2:

YES, it is on Fresh start-up-up of windows. after my laptop starts up and If I open the taskbar manager it starts by not responding followed by a blank screen then a red color will appear on the CPU And Disk and by the time I open the snipping tool, 5 to 10 seconds and will be gone

 Both Malwarebytes and windows defender is responsible for throwing my BIOS time from 2.2 to 4 - 5 seconds

Surprisingly, after u told me to get the report of Kaspersky, I had to deactivate Malware bytes premium. After a full scan, I restarted the laptop, then the windows defender doesn't load at all! (it's like it is not Defender is not on my laptop anymore) But if I disable Kaspersky I think It will start running again ( i have attached the screenshot)

BIOS time is reduced back to 2.9 seconds but still not convinced and as I am planning to switch to Malwarebytes or Bitdefender (as I am not happy with Kaspersky) I don't want BIOS time to shoot up

 

3:
I was thinking of the same of installing a virtual system, but I have two questions here

I have a core i3 7th gen processor and plenty of storage and ram. Considering that I won't run any other program in the background
can I run the virtual system on my machine?

can you tell me how to run / from where to get windows 10 for the virtual system? I don't know how so.

 

------------------------------------------------------------------------------------------------------------------------------------

I have to wait till Christmas to get a new HDD. i am trying to manage till then.

i use ftps:// <ip address> I only use them to transfer files from mobile to laptop and i run them only when need.

Honesty this is the first time i was infected my a malware being a computer user for 8 years, between 2018 and 2020 updates from Microsoft Updates was very bad and that is why how i learnt how to perform reinstall of windows 10 from USB. It saved me from going to service center back to back.

but i agree with you on Belarc Advisor , but i don't know where to trust Microsoft updates or my self. i will stop using it.

I was using Ninite to update programs i will stick on with winget from now. (thanks for recommending, it is useful)

 

The only reason why i am monitoring my system is because

i suspect of having  malware after reinstalling Windows 10 (Because of high CPU usage and RTP Detection) and i have backup on HDD which is failing after bad sector count error

Beyond this i don't have no reason to monitor.

 

I appreciate the time and patience your are taking to help me

Thanks

 

FRST.txt Addition.txt

[AdvancedSetup]

AV: Kaspersky Total Security (Enabled - Up to date) {4F76F112-43EB-40E8-11D8-F7BD1853EA23}
FW: Kaspersky Total Security (Enabled) {774D7037-0984-41B0-3A87-5E88E680AD58}

Kaspersky Total Security (HKLM-x32\...\{4FC79BE9-AD63-46C0-9626-E4F6BCE6A976}) (Version: 21.3.10.391 - Kaspersky) Hidden
Kaspersky Total Security (HKLM-x32\...\InstallWIX_{4FC79BE9-AD63-46C0-9626-E4F6BCE6A976}) (Version: 21.3.10.391 - Kaspersky)
Kaspersky VPN (HKLM-x32\...\{FF2A12B8-AEB7-48C0-95C8-E2E3D67DFCB2}) (Version: 21.3.10.391 - Kaspersky) Hidden
Kaspersky VPN (HKLM-x32\...\InstallWIX_{FF2A12B8-AEB7-48C0-95C8-E2E3D67DFCB2}) (Version: 21.3.10.391 - Kaspersky)

 

So, at the moment it looks like a Full real-time protection version of Kaspersky is running. (it is a great product, but again, be careful as it can easily conflict with Malwarebytes)

 

Don't check any box on AdwCleaner and there should be a next button or something like that. Then AdwCleaner should stop detecting the Vendor software.

 

 

1.
Was just curious about the Kaspersky as Malwarebytes can have issues running alongside it. If you're no longer using it as your main AV then no issue.

AdwCleaner targets add-on software for vendors. In some cases I can agree but in many cases I don't think it should remove them. You can uncheck the items and tell AdwCleaner to not detect them again.

2
YES, it is on Fresh start-up-up of windows.
Exactly, quite normal for all computers. Can and should be ignored. Go grab a drink or something while Windows is starting if that short time period really bothers you.

Windows Defender is designed to turn off when a full antivirus program is installed. Unless Kaspersky has changed something, it will always disable Windows Defender when it's running.
Malwarebytes can run with or with out Windows Defender. Under Settings, Security, simply don't register Malwarebytes with the Security Center and Windows Defender will continue to run without issues.

3
Yes, I think it's poerful enough. Obviously the virtual system won't be as fast as the physical one but that too is normal.

Getting a copy of Windows is, or can be an issue. You could virtualize your current system and use that, though probably not completely legal by Microsoft terms so you'd have to check on that.
A full copy of Windows is about $200 for a new license but you also have to decide if it's truly an investment for you or it's just a hobby. Myself I've bought a few licenses of Windows 10 as I use them often for business purposes.

The installation of Windows varies from vendor to vendor so it would also matter which one you're using but all of them have online guides that show you how to do the installs.

 

 

 

You can use Macrium Reflect Free to create an image of your current system and save it onto an external USB drive. It's basically like a zip file if you will but is a full system backup.

Then if something happens to the system you can restore very quickly.

 

Backup Software
https://forums.malwarebytes.org/index.php?/topic/136226-backup-software

 

 

I assume all is set and you're okay now and the computer is not infected. Let's go ahead then and do a bit of clean up. If you do need help with something else though, please let me know.

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes

 

[NANDANR]

Thanks for your response

I think I will buy a new low-cost laptop for programming than messing around with a Virtual machine.

Thanks for helping me confirm my windows installation is safe

I have attached the kprm Log file.

thanks for sharing the website links, I will go through them.

Have a nice day,

Cheers

kprm-20220911112031.txt

[AdvancedSetup]

Take care and stay safe out there. All looks good with the log

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you