Malware reinstalled after clean install

[milakk]

I have been having problem with malware for a few months. Geek Squad did not help as well as another IT technician who wiped out hard drive and installed windows. Two  weeks after a clean installation, I started having problem with booting computer. I run Microsoft defender that found Trojan and quarantined it. I run immediately a second scan and Microsoft defender found 2 Trojans and quarantined it. I run 3 scan and Microsoft defender found another Trojan. I reinstalled Windows but I have problems with Windows updates as malware does not let to install it. Could you help me to get rid of quite nasty malware.  

[AdvancedSetup]

Hello @milakk and

 

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

[ 1 ]

Please make the following system changes.

• Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

[ 2 ]

Malwarebytes AdwCleaner

Let's do a special run of Malwarebytes AdwCleaner to help prepare the computer to be able to run other scanning software that may be blocked

Please read all the information below before starting so that you have a good understanding of the process.
Take your time and be careful. Make sure you select all of the listed items below - before- pressing the scan button.

 

• Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
• Here is another link to download if the link above does not work:  Malwarebytes AdwCleaner alternative link
• Locate the program where you downloaded it. Double-click to start AdwCleaner.  Do not rush. There are a few choices to set as listed below.
• Malwarebytes AdwCleaner guide
• Reply YES at the Windows prompt to allow the program to proceed and make changes. That is the usual Windows security prompt.
• Accept the End User License Agreement.
• Wait until the database is updated. Do Not click on anything yet.

 

When AdwCleaner starts, on the left side panel of the window, click on Settings and enable these repair actions on the Application tab

Clicking their button to the far-right will enable the ON status

 

• Delete IFEO keys
• Delete tracing keys
• Delete Prefetch files
• Reset Proxy
• Reset Chrome policies
• Reset IE Policies
• Reset Winsock
• Reset Hosts file (If you're not having any issues accessing security or other websites you can uncheck this item)

 

 

ONLY after you have set the selections above ....only after that .....

Now On the left side of the AdwCleaner window, click on the Dashboard panel and then click the Scan button to perform a computer scan.

 

 

• DO NOT uninstall or remove the Preinstalled software if found. Uncheck any items listed for Preinstalled
• When finished, if items are found please click Quarantine to finish the cleaning process.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach that log to your next reply. You can also open the Log Files panel to locate.
• This can take several minutes to complete, please be patient.
• When the AdwCleaner scan is completed it will display all of the items it has found. Click on the Quarantine button To remove what it found.
• AdwCleaner will now prompt you to save any open files or data as the program will need to close any open programs before it starts to clean.
• Click on the Continue button to finish the removal process.
• If No Detections are found, Click the Basic Repair button to have it reset the checked items above.

[ 3 ] 

Malwarebytes for Windows

• If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
• After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
• If you don't have Malwarebytes installed yet, please download it from here or alternative link and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed, make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

 

View Reports and History in Malwarebytes for Windows v4
https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows

Malwarebytes for Windows v4 guide
https://support.malwarebytes.com/hc/en-us/articles/360038984693-Malwarebytes-for-Windows-v4-guide

 

RESTART THE COMPUTER Before running Step 4

[ 4 ]

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Please rename FRST.EXE or FRST64.EXE to FRSTEnglish.exe
• After renaming the file right-click over FRSTEnglish.exe and select "Run as administrator"
• When the tool opens click Yes to the disclaimer
• Make sure there is a check mark in the Addition.txt check box
• Press the Scan button.
• It will make a log FRST.txt and Addition.txt in the same directory the tool is run from. Please attach both logs to your next reply.

 

 

Thank you

 

Example image of where to click to attach files when posting your reply

 

 

 

[milakk]

Thank you for your response. Before I got your response, I disabled Fast- Start- Up as well as Show-Hidden-Folder-Files-Extensions, downloaded AdvCleaner but without enabling Basic Repair Action.  AdwCelaner  displyed "no items" flagged and I Run Basic Repair. I have attached a log. I will run again with Basic Repair Action you have suggested.

 

AdwCleaner_Debug.log

[AdvancedSetup]

No, if it found nothing, please run the Malwarebytes scan as well as the Farbar (FRST) scanner and post back their logs

Thanks

 

[milakk]

I have already run Malwarebytes and it found nothing. I will run Farbar.

[milakk]

Those are Farber scans.

FRST.txt Addition.txt

[AdvancedSetup]

The logs indicate that all Windows Updates and / or Driver Updates are not completed. In most cases Microsoft Updates can install the drivers for hardware as well but you have to check into the Advanced options

==================== Faulty Device Manager Devices ============

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Memory Controller
Description: PCI Memory Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

 

 

The logs actually look pretty clean. Please go ahead and run the following scan and clean up

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

• NOTICE: This script was written specifically for this user, for use on this particular machine.
• Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\Kasia\Desktop\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
               Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Discord cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[milakk]

I am puzzled because when I look at Addition.txt there were so many errors such systems errors, application errors, drivers not installed. Very scary to read!  Could you please explain me this log.

[AdvancedSetup]

Let's clean up the computer first, then we'll run some updates to get those other errors corrected. Please follow the directions above

Thank you

 

[milakk]

Thank you. I have uncounted some problems. When i downloaded Malwarebytes, it did not change security setting and Microsoft defender was on. I disabled Microsoft virus and threat protection and firewall. Should I turn off anything else. I uninstalled Malwarebytes for the purpose of scan.

[AdvancedSetup]

You should not need to uninstall Malwarebytes. You simply need to right-click over the tray icon and Quit the program if needed. In most cases though our program does not block or prevent Farbar from doing it's job.

Please go ahead and download, reinstall Malwarebytes

https://downloads.malwarebytes.com/file/mb4_offline

Then check for updates, then restart the computer again.

Then run the Farbar FIX above. If Windows Defender or Smart Screen attempt to block it tell them it's safe and that you want to keep them.

 

[milakk]

This is log,

Fixlog.txt

[AdvancedSetup]

Great, that looks good.

Please run the following scanner now

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

[milakk]

I have run Microsoft Safety Scanners. I  have followed step 1 to show all folders. But I got a strange log. I have a screenshot of  results of the scan. Have I done something wrong by a mistake?

msert.log

[AdvancedSetup]

No that is okay. It says it found a setting that was not right and removed it.

Please go ahead and run the following and we'll have it double-check the system

 

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

https://devbuilds.s.kaspersky-labs.com/devbuilds/KVRT/latest/full/KVRT.exe

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 

Select the     Windows Key and R Key together, the "Run" box should open. Drag and Drop KVRT.exe into the Run Box. C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box. add -dontencrypt   Note the space between KVRT.exe and -dontencrypt C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.   That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file. Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. To start the scan select OK in the "Run" box. A EULA window will open, tick all confirmation boxes then select "Accept" In the new window select "Change Parameters" In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start... When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue" When complete, or if nothing was found select "Close" Attach the report information as previously instructed...   Thank you

 

 

[milakk]

I have run again Microsoft Safety Scanners. The same virus has returned and was deleted again. I am going to run Kaspersky Virus Removal Tool.

msert.log 2.txt

[milakk]

I followed every step and I  got a very strange report. I can not attach  it here. I don not know what to do.

[AdvancedSetup]

Please run the Kaspersky scan again then and make sure you follow the exact directions.

Thanks

 

[milakk]

 Thank you for your response. I will run Kaspersky again.  Kaspersky haven't found any threats but has not created a report.  Meantime, I run  Microsoft Safety Scanner and the virus returned again.

msert.log 3.txt

[AdvancedSetup]

This is not a virus. Please try the following

 

Please make the following change in Malwarebytes if you're using the Premium or Trial version

• Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the Security tab.
• Then turn off "Always register Malwarebytes in the Windows Security Center"
• Restart the computer

 

It is highly unlikely that you need to setup exclusions for Windows Defender, however if you experience any issues, please see the following article and setup exclusions
between Malwarebytes and Windows Defender

Malwarebytes for Windows antivirus exclusions list
https://support.malwarebytes.com/hc/en-us/articles/360038522974-Malwarebytes-for-Windows-antivirus-exclusions-list

 

I'll check back on you again sometime tomorrow

 

[milakk]

I  have run Kaspersky again. I got the same report but this time I could attach it here.

report_2023.12.04_22.27.19.klr.enc1 2.txt

[milakk]

I have turned off "Always register Malwarebytes in Windows Security Center"  but  Windows Security warns under Virus and Protection action needed and there is no Malwarebytes protection.

[milakk]

When I turned  on again "Always register Malwarebytes in Windows Security Center", I have Malwarebytes protection.

[AdvancedSetup]

Please turn Malwarebytes registration to Security Center to off. You have protection at all times with or with out it. If you want to have it on then ignore the result from Windows Defender as it will always see that.

The Kaspersky scan was not run properly as that is an encrypted log. The instructions show you how to run it so that it does not encrypt the log.

If you're unable to do it properly then get me a Screenshot of what it found when done.

 

 

[milakk]

I have done Kaspersky scan using tool-system analyze and Kaspersky did not create a report either. This is a second scan. The third one was the same as previous. it is just  a  line with strange symbols. 

report_2023.12.04_22.27.19.klr.enc1 2.txt