Jump to content

Had trojan - not sure if false positive, how can I be sure it's gone?

F0rceofnature
 Share

Recommended Posts

  • Replies 61
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

Porthos
Porthos

@F0rceofnature Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following. Let's get the info to get the process started. Be a

JSntgRvr
JSntgRvr

If you are not able to boot in Safe Mode, use the installation media and try a Restore Point.

JSntgRvr
JSntgRvr

Windows Resource Protection found and successfully repaired corrupted files. After checking the filters in your computer, seems that you have a Traps™ Advanced endpoint protection program that cr

Porthos

Porthos

Posted
Posted

@F0rceofnature

Although I will not be directly assisting you, a malware removal expert will be along to assist after you do the following.

Let's get the info to get the process started. Be aware it will take many steps and scans to fully remove malware.

Please respond to all future instructions from your helper in a timely manner.

Let's go ahead and run a couple of scans and get some updated logs from your system. Please read the entire post below before starting so that you're more familiar with the process

Then follow each step in the order provided. Unless otherwise asked, please attach all logs

 

Please make the following system changes: Please pay close attention the the instructions in all of the following links.

  • If you have not done so already - Enable System Protection and create a NEW System Restore Point
  • Temporarily disable your antivirus real-time protection or other security software first only if it blocks or interferes with the scans or downloads.. Make sure to turn it back on once the scans are completed
  • Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the downloads are completed
  • Disable-Fast-Startup
  • Show-Hidden-Folders-Files-Extensions

Please run the following scans: Please pay close attention the the instructions in all of the following links.

  1. Click the following link and run a  Scan with AdwCleaner
  2. Click the following link and run a  Scan with Malwarebytes 
       RESTART the computer
  3. Click the following link and run a  Scan with Farbar Recovery Scan Tool 

Example image of where to click to attach files when posting your reply

image.thumb.png.e208c182ff570799c53bcf57

Then be patient for the next expert to take your case.

 

Thank you

  • Like 1
Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

:Welcome:  :)
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary.  :)

Let's begin... 

Your computer is full of hidden files. Lets try to make a list of these. We will also remove files in specific folders. 

  • Download the enclosed file Fixlist.txt
  • Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges 
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. If too large, use an online upload service and post the link. www.wetransfer.com is a good site.

Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted
52 minutes ago, JSntgRvr said:

:Welcome:  :)
 
I'll be helping you with your computer.
 
Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.
 
Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary.  :)

Let's begin... 

Your computer is full of hidden files. Lets try to make a list of these. We will also remove files in specific folders. 

  • Download the enclosed file Fixlist.txt
  • Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges 
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. If too large, use an online upload service and post the link. www.wetransfer.com is a good site.

After the restart, I am unable to log in to my windows profile.. its giving me the error "The User Profile Service Failed the Logon"

Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

1. Boot Windows in Safe Mode

To make changes in Windows, you must enable safe mode because you cannot log in due to the error message. The error often occurs because of duplicate entries, so we need to manually rename the entries to fix this error message. To do this, you need to boot into safe mode.

Safe Mode is a mode in which the user diagnoses the cause of a problem, as it does not allow irrelevant services, third-party applications, and GPU drivers to load at startup, since these could cause issues. Therefore, follow the steps below to boot into Safe Mode:

 

  1. On the sign-in screen, click the power button in the bottom right corner.
  2. Hold the Shift key, and then click Restart.
  3. The Options Screen window will appear; click Troubleshoot > Advanced Options > Startup Settings
  4. Navigating to Troubleshoot
  5. Navigating to Troubleshoot
  6. And then, click ‘Restart‘ from the bottom right.
  7. Restarting Computer to Boot into Safe Mode
  8. Restarting the Computer to Boot into Safe Mode
  9. Once the computer restarts, press 5 or F5 on the keyboard to enable Safe Mode. (or Safe Mode with Networking)
  10. Once finished, see if you can obtain the Fixlog.txt and attempt to upload it.
  11. Run FRST64 once again and attach the logs.
Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted
1 minute ago, JSntgRvr said:

1. Boot Windows in Safe Mode

To make changes in Windows, you must enable safe mode because you cannot log in due to the error message. The error often occurs because of duplicate entries, so we need to manually rename the entries to fix this error message. To do this, you need to boot into safe mode.

Safe Mode is a mode in which the user diagnoses the cause of a problem, as it does not allow irrelevant services, third-party applications, and GPU drivers to load at startup, since these could cause issues. Therefore, follow the steps below to boot into Safe Mode:

 

  1. On the sign-in screen, click the power button in the bottom right corner.
  2. Hold the Shift key, and then click Restart.
  3. The Options Screen window will appear; click Troubleshoot > Advanced Options > Startup Settings
  4. Navigating to Troubleshoot
  5. Navigating to Troubleshoot
  6. And then, click ‘Restart‘ from the bottom right.
  7. Restarting Computer to Boot into Safe Mode
  8. Restarting the Computer to Boot into Safe Mode
  9. Once the computer restarts, press 5 or F5 on the keyboard to enable Safe Mode. (or Safe Mode with Networking)
  10. Once finished, see if you can obtain the Fixlog.txt and attempt to upload it.
  11. Run FRST64 once again and attach the logs.

Windows is asking me for a password but my profiles password doesnt seem to work (same pass works when i login via outlook though, I'll try to boot into safemode via win10 usb)

Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted (edited)
6 hours ago, JSntgRvr said:

Upload the Fixlog.txt that must be next to FRST64.exe. If too large, use an online service such as www.wetransfer.com.

Hope you are able to detect the issue at hand :( thank you so much for your time and assistance!

 

Edited by AdvancedSetup
Logs removed per request
Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

Lets start blasting:

  • Download the enclosed file Fixlist.txt
  • Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges 
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. If too large, use an online upload service and post the link. www.wetransfer.com is a good site.

Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

Windows Resource Protection found and successfully repaired corrupted files.

After checking the filters in your computer, seems that you have a Traps™ Advanced endpoint protection program that creates those hidden files for your protection. Was no aware of such program.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply
  • Thanks 1
Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted
33 minutes ago, JSntgRvr said:

Windows Resource Protection found and successfully repaired corrupted files.

After checking the filters in your computer, seems that you have a Traps™ Advanced endpoint protection program that creates those hidden files for your protection. Was no aware of such program.

Dr.Web CureIt!

Please download the Dr.Web CureIt! anti-virus utility
https://free.drweb.com/

 

You will need to send them an email to obtain a link to download the scanner, please do so

  • The downloaded file will normally have a unique name such as:  q7a9tr4p.exe
  • Close all open applications and locate the downloaded file and double-click to run it
  • The program will take a moment to launch and bring up the License and Update screen
  • Place a check mark to agree to the terms and then click on the Continue button
  • Click the underlined link Select objects for scanning
  • On the top left click the Scanning objects that should automatically check all objects
  • Click the small wrench and make sure there is a check on Automatically apply actions to threats
  • Then click the large button on bottom right Start scanning
  • Once the scan has completed there will be a link named Open report click that and a log named cureit.log should open in Notepad
  • The log is saved in the folder named Doctor Web in the top of your user profile folders
  • Please attach that log on your next reply

hey there! The Traps™ Advanced anti virus is one I received from my workplace (i work remote, and some other users were hacked in the past so they are trying to minimize any risks)

 

The program is called Cortex XDR (by PaloAlto Networks)

Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted
9 minutes ago, JSntgRvr said:

Iam glad you have that additional protection. Those hidden files and folders were overwhelming. 

Thanks for the feedback. 

Well, not a big fan of this program since it has higher rights than me on my own pc. I fear that the profile issue may have been caused by this antivirus, as well? apparently you cant even uninstall it, let alone exit the task 

Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

The profile issue was due to the removal of hidden files in your profile folder. You have removed the FRST and Addition logs. Run this command at a command prompt.

Reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s >%Userprofile%\Desktop\Uninstall.txt

A report will be produced on your desktop, Uninstall.txt. Attach it to a reply.

Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted
1 hour ago, JSntgRvr said:

The profile issue was due to the removal of hidden files in your profile folder. You have removed the FRST and Addition logs. Run this command at a command prompt.

Reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s >%Userprofile%\Desktop\Uninstall.txt

A report will be produced on your desktop, Uninstall.txt. Attach it to a reply.

Thanks for the info! I had tried creating a new profile, and i got the same error today. For some reason, i also was unable to switch profiles because the switch profiles button was missing..? Was this also due to this same issue?

Uninstall.txt

Link to post
Share on other sites
F0rceofnature

F0rceofnature

Posted
  • Author
Posted

Hmm, I tried creating a new profile on my windows 10 and switching to that profile causes the same error as last time, rendering me unable to switch profiles and ultimately giving me no other option than use recovery image to restore working windows state(?) ._.

Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted (edited)

Visit the following site and download the following program

NirSoft - AdvancedRun
https://www.nirsoft.net/utils/advanced_run.html

Direct download link:
https://www.nirsoft.net/utils/advancedrun-x64.zip
 
Make a new folder.  C:\Advancedrun

Extract the advancedrun-x64.zip files to the C:\FIX folder as well

Disable any antivirus real-time protection and keep it off for now

Browse to the C:\Advancedrun folder and find the file AdvancedRun.exe. Right-click over it and select "Run as administrator"

Under Program to run: click the 3 ... dots and select C:\Windows\System32\cmd.exe

Under Run As:  select TrustedInstaller as shown and click the Run button


image.png.50f892a20f3c655588c04a4f6143599c.png
 

In the DOS window, if you type in WHOAMI and press the Enter key, it should show you that you are now
nt authority\system

 
image.png.92b5c7765c3d18d4220f25f97072be98.png
 
Copy and paste the following commands to  this prompt one by one and Press Enter:

takeown /f "C:\Program Files\Cortex XDR" /r /d y

icacls "C:\Program Files\Cortex XDR" /grant TrustedInstaller:(OI)(CI)F /T

Reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7D8D4FBA-B63A-4476-A5BD-2906650164DD} /v NoModify /f

Reg delete HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7D8D4FBA-B63A-4476-A5BD-2906650164DD} /v NoRepair /f

MsiExec.exe /X{7D8D4FBA-B63A-4476-A5BD-2906650164DD}

 
These commands will remove the NoModify  and NoRepair options in the key and will run the uninstall string as a Trusted Installer.
 
Let me know how does it behaves?
 
In regard to your last reply, let me review my previous actions.
Edited by JSntgRvr
Added commands.
Link to post
Share on other sites
JSntgRvr

JSntgRvr

Posted
Posted

Lets see what we removed from the Default folder:

  • Download the enclosed file Fixlist.txt
  • Save it in the same location FRST64.exe is saved (FRSTEnglish.exe)
  • Start FRST (FRST64) with Administrator privileges 
  • This time around Press the Fix button and wait
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please attach this file in your next reply. If too large, use an online upload service and post the link. www.wetransfer.com is a good site.

  • Like 1
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.