Exe Virus Keeps Coming Back in C:\Users\User*\AppData\Local\Temp\tmp Folder

[alfigha]

Hello,

 

I have a virus in my temp folder that I've removed 3-4 times yet it continues to come back time and time again. It's an .exe virus. Both Malwarebytes and Windows Defender have stated they removed it, yet the virus returns after every restart of my computer. I'd like some help of how to get rid of this thing for good. (same as topic from

but when I follow these steps, the virus still returns


Thanks!

[Maurice Naggar]

Hello. I will guide you. This is only a first step. 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted items from a system. This tool does not install. It is run on-demand.

This link is for the 64-bit version of MSERT.exe . Be sure you save the file first
https://definitionupdates.microsoft.com/download/DefinitionUpdates/safetyscanner/amd64/MSERT.exe

Upon completion of the save, Launch MSERT.exe
Accept the agreement terms of Microsoft
Select CUSTOM scan
Look on Scan Options & select CUSTOM scan & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.

Once you see it has started, take a long long break; walk away. Do not pay credence if you see some intermediate early flash messages on screen display. The only things that count are the End result at the end of the run.
Again, any on-screen display about repeat 'infection' is not to be relied on. Ignore those.
We only rely on the end result that is on the log-report-file.

This is likely to run for many hours ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log

the log will be at

Windows\debug\msert.log
Please attach that log with your reply

It is normal for the Microsoft Safety Scanner to show 'detections' during the scan process on the screen itself.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

NEXT 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

On the Taskbar Search box, type in

cmd.exe

click the line for "run as administrator"
 

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

 

cleanmgr.exe /AUTOCLEAN

and tap the Enter key,    When it is all done, just close the window.

Edited March 24 by Maurice Naggar

[alfigha]

When I scanned with Malwarebytes, it was detected as malware ai 594039853.


Here is the log MSERT.
msert.log

Note * : Before I scan using MSERT. I deleted the suspicious folder named 'WAAM' at C:\Users\EndG\AppData\Local. And after I tried restarting the laptop, the .exe didn't reappear (I'm not sure if it's a solution yet).

After this, I will try the cleanmgr.exe /AUTOCLEAN step first

[alfigha]

cleanmgr.exe /AUTOCLEAN done.

[Maurice Naggar]

The Safety Scanner found 1 threat and it was a 'hacktool'.

-------------
Threat Detected: HackTool:Win32/Agent and Removed!
  Action: Remove, Result: 0x00000000
    file://C:\Users\EndG\Downloads\Berkas\idm641b3f\3. Patch\Patch.rar->Patch.exe->[RSRCEmb]
        SigSeq: 0x00001667A7C04675
    containerfile://C:\Users\EndG\Downloads\Berkas\idm641b3f\3. Patch\Patch.rar
	Results Summary:
----------------
Found HackTool:Win32/Agent and Removed!

If you play games or have other dodgy 'hack /crack/ dodgy" downloads or installs, please be sure they are properly uninstalled.
Too often these types will bundle serious malware in their installer container.
Why You Shouldn't Use Pirated Software
https://www.computer.org/publications/tech-news/trends/why-you-shouldnt-use-pirated-software

Torrenting & file-sharing. Try to not do that, as a general security matter. All it takes is one malicious file to lead to tragedy & loss.
https://informationsecuritybuzz.com/articles/torrenting-know-risks-take/

Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[Maurice Naggar]

Hello @alfigha Kindly provide a status update. Are you still needing help ? Have you completed my last suggestions ( listed above ) ?

[alfigha]

I deeply apologize for the delay in my response. For virus hack tools, it might be true about pirated games. However, the virus that I mean regarding the AI virus has not been detected again until now. Thank you for the direction and help and deeply apologize for the delay in response

[Maurice Naggar]

Alright, thanks. But do not go away. This is a safety checkup 

Temporarily disable Microsoft SmartScreen to download the next software below 

I would recommend getting a readout report as to update status of some key apps.
Download SecurityCheck by glax24 from here

and save the tool on the desktop.

                   If Windows's  SmartScreen block that with a message-window, then
                         Click on the MORE INFO spot and over-ride that and allow it to proceed.

                             This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

When all done, you may go back to turn ON the EDGE Smartscreen protection.

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks