Windows 10: Computer Infection--Emergency!

Hi There

Running Avast 12.3.2280 right now, and Malware bytes for on demand protection


Anyways started having System Process using CPU all the way up to 91 percent at times, it's down now, first scan with Malwarebytes found backdoor.spynet in wsusoffline zip file I think it was, Second scan with Eset online scan found 2 more infected files, names unknown yet, Defender other night when I was running that found Trojan Dropper in Temporary internet files, should I just backup data and do a clean install? do I need to wipe the hard drive first, it's a 2tb drive that will take ages to do, but I will do it if needed.

Help advice really needed this time

:)

 

edyfmoserj

Did you empty temporary internet files, restart the computer and run a Quick Scan with your antivirus program?



If you think your computer may be infected by malware
you may want to scan with the Emsisoft Emergency Kit: Как обнаружить и удалить угрозы с помощью Emsisoft Emergency Kit



OR



See How to remove a Trojan, Virus, Worm and Malware (Windows Help Guide)



Regards...



Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid Them.

 

How do I check to find out and remove GozNym trojan from Windows 10

The link you sent me in your message:

Free scanners such as the Emsisoft Emergency Kit and Malwarebytes
should detect this malware.



Как обнаружить и удалить угрозы с помощью Emsisoft Emergency Kit

caused a problem and Norton NPE had to be installed to remove both the application and two items from the registry that had contaminated my computer.

Please do not recommend Emisisoft Emergency Kit to other people as it is BAD!

I will contact Norton regarding GozNym and they may have some solution. I don't believe I have it on my computer.

Thank you.

 

Hi.
I take it you don't make regular system images using a program like Macrium Reflect?
Okay, let's try and clean this thing first.

Run these scans, in this order, and post logs for each, using CODE tags (# button).

Create a restore point
RKILL
TDSSKiller (select all options - it will reboot to scan properly)
RKILL (again, because everything RKILL does is undone by a reboot)
Malwarebytes Antimalware (run a custom scan, select the box to scan for rootkits, and check the box to scan your entire system drive)
ADWCleaner (it will reboot to clean)
JRT
Then run TempFile Cleaner.
Ccleaner - run on browsers and clean out temp + cache, then run on registry
EDIT: Since you now have Avast on the system, go into Avast settings and set a full scan to scan for ALL PACKERS, then run the full scan. If it comes up clean, you can skip the ESET scan below.
ESET Online Scan (see instructions here)
BSOD after boot up, during login or right after, (bad spool header?) Solved - Page 3 - Windows 7 Help Forums
Be sure you're logged into sevenforums, so you can see all the screenshots. They're a little old, but the basics are the same.



All these tools are free/have free versions available.

When finished, create another restore point, then go into Ccleaner and delete the infected one (and any others that may exist that might be infected).

 

I got an Image from a month ago, around August 16th my last clean install, will get the programs to do the cleanup though, and hopefully all clean after that is all done...internet went down a few minutes to, so delayed me getting back into here

 

No problem. Please note the edit I made to the post in red.

You can post your logs as you get them done; I will be unavailable for most of the evening, but would like to see what is found - names of everything. Sometimes this backdoor brings in a bitcoin miner, other times something worse, and so we need to make a decision if the image restoration is the best answer (even if we get it cleaned), and also determine if passwords need to be changed, etc. If you run across Ramnit in any of the logs, consider the image restoration the only answer.

 

Will do, will post the logs once I finish all the scans, shouldn't take too long I don't think, is an 8 Core system, must change way I do things, or figure out how got them in the first place.

 

Okay sounds good. If I get a chance, I will have a look before I leave in a bit.

hmmm.....P2P software, infected/compromised webs sites, infected ads, exploits of Flash or Java, unpatched browsers, bad browser add-ons, worm-infected computers on your same network, etc. *Wink

 

Well No P2P software used, Possibly a website, other machines on network I think clean, but i'll check those 2, Java not installed, Microsoft Edge or IE 11 only used, getting to first program in a few here, then going down the line in order, longest scan might be Malware bytes and Avast lol, but hopefully gets all clean, and I can relax finally

 

Therein lies your problem.

I use Firefox for my main browser, as it is the most customizable and therefore safest browser. I have browser add-ons (like Flash and Java) set to "ask to activate", I have another add-on which shall remain unnamed (per forum rules), I use WOT to evaluate web-searched sites for safety, I use OpenDNS DNS Servers on my NICs to prevent navigating to known bad sites, I use LastPass Password Manager and only log into it when needed, I do not login to the browser to "sync" anything, and I have MBAE for zero-day browser exploit mitigation. All this, plus anti-virus, anti-malware, anti-spyware and CryptoPrevent. Knock wood, I have never had anything my system yet, (save one worm from an infected computer I was cleaning for someone, and forgot to turn my system off at the time - an image restoration solved that problem quickly), and I do a lot of searching in order to answer threads on this forum.

 

Hi.
RKILL looks ok.

TDSS Killer says it found nothing.

MBAM flags:
Code: Backdoor.SpyNet, H:\Downloads\Important Files\wsusoffline102.zip, Quarantined, [735c6f0531693afcca525d99ac5822de], Backdoor.SpyNet, H:\Temp\Flash Drive files\wsusoffline105.zip, Quarantined, [9d327bf97e1c979f839910e65ca8f907],[/quote] Now, these were downloaded to "Important Files" and "Flash Drive Files". This looks to be old, but have you ever used the WSUS offline updater or Chocolatey Repository?

WSUS Offline Update - Update Microsoft Windows and Office without an Internet connection Update Microsoft Windows and Office without an Internet Connection

Chocolatey Gallery | WSUS Offline Update 10.5


So, these could be FPs (False Positives).

I would like to see what ESET flagged.
Restore files quarantined by the ESET Online ScannerESET Knowledgebase

 

Yes I used Wsus offline with other Windows 7 SP1 machine upstairs, had the files saved on the external in case needed it again, I will check to see what Eset flagged in a moment here

 

Okay so those are indeed FPs.
Can you give me a screenshot of what Defender found? or is it not specific?

 

I see the second MBAM scan came up clean. *Smile I am thinking ESET and Defender neutralized whatever was messing with your system.

 

Just said Trojan.Dropper in Temp internet files that one night, unforuately I didn't save the info as I noticed it when I was switching to Avast remotely via Remote Desktop lol via Phone that night, as Defender took 3 hours to scan, so i'm like yeah going back to Avast, I see no sign of that now though, and I scanned with numerous programs so far, Eset going again so I can get manage quarantine at the end