P
PetruTanas
To provide some context: Everything was perfectly fine about a week ago, no detected threats, no malfunctions. Then, I noticed Windows Defender being off on every boot up, so i turned it back on again. At one point, I could not activate windows defender anymore, as I was getting an "unexpected error, please restart".
Then, I thought it to be an update problem, so I opened Windows Update and checked for updates. An error message popped up.
"There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070057)"
I followed the steps on this page: https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors
None worked.
At this point I figured something was wrong, so I started a virus scan with Malwarebytes, and indeed, quite a virus report returned (see log below). I removed everything it found, ran CCleaner, restarted and retried the steps above, with no luck. Although Malwarebytes does not detect any more threats, and says it successfully removed findings. it does detect the "Imminent" Spyware logs in %appdata% on every boot-up . Somehow the process flies under the radar.
I tried starting Windows Defender and Windows Update from Services, I get " access denied " for Windows Defender and "error 87: invalid parameter" for Windows Update.
Then I tried editing the registry manually, as instructed here: https://support.microsoft.com/en-us/help/971058/how-do-i-reset-windows-update-components
Both soft and aggressive. Still error 87
At this point I was getting desperate. I backed up my most important files and vent for recovery. To my surprise, no restore points are available, although I know they were. I tried to reset the PC, the reset gets stuck at "Getting a few things ready, it might take a few minutes" for hours. Finally I tried to download windows ISO and try to reinstall windows. To my surprise, I still got an error.
Download Windows 10
Now I have no ideea what it is. I assume it is a virus, judging by the scan report, which I have no ideea how it got into my system and went past WD and Mallwarebytes. And if it is a virus, it is hell of a tanky one, if I cannot detect it and cannot even reinstall Windows.
I have an Asus x555ln, with an Intel i5 processor, x64, came with a preinstalled Windows 7, which I later updated to Windows 10
Malwarebytes
www.malwarebytes.com
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 349448
Threats Detected: 38
Threats Quarantined: 38
Time Elapsed: 12 min, 21 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 6
Trojan.Injector.E, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [3859], [559833],1.0.7403
Trojan.Injector.E, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [3859], [559833],1.0.7403
Trojan.Injector.E, HKU\S-1-5-21-1385932015-1977795828-590748025-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|GOOGLE UPDATER 5.0, Quarantined, [3859], [559833],1.0.7403
Backdoor.BetaBot, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [8279], [553693],1.0.7403
Backdoor.BetaBot, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [8279], [553693],1.0.7403
Backdoor.BetaBot, HKU\S-1-5-21-1385932015-1977795828-590748025-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Updater 5.0, Quarantined, [8279], [553693],1.0.7403
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
Trojan.StolenData, C:\USERS\USER\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [3598], [250104],1.0.7403
File: 31
Trojan.StolenData, C:\USERS\USER\APPDATA\ROAMING\IMMINENT\LOGS\17-10-2018, Quarantined, [3598], [250104],1.0.7403
Trojan.Injector.E, C:\PROGRAMDATA\GOOGLE UPDATER 5.0\KGMS71O3A.EXE, Quarantined, [3859], [559833],1.0.7403
Backdoor.BetaBot, C:\PROGRAMDATA\GOOGLE UPDATER 5.0\KGMS71O3A.EXE, Quarantined, [8279], [553693],1.0.7403
Trojan.Injector, C:\USERS\USER\APPDATA\ROAMING\MCM.EXE, Quarantined, [628], [558764],1.0.7403
Trojan.Injector, C:\USERS\USER\APPDATA\ROAMING\WUAUCLT\WUAUCLT.EXE, Quarantined, [628], [558765],1.0.7403
Trojan.Injector.DLF.Generic, C:\USERS\USER\APPDATA\LOCAL\TEMP\PUTTY.EXE, Quarantined, [9493], [559834],1.0.7403
Generic.Malware/Suspicious, C:\USERS\USER\APPDATA\LOCAL\TEMP\O97O9OS35.EXE, Quarantined, [0], [392686],1.0.7403
Generic.Malware/Suspicious, C:\USERS\USER\APPDATA\LOCAL\TEMP\POAKBSSY5R5JMHE5ILXZFRYLX.EXE, Quarantined, [0], [392686],1.0.7403
Backdoor.BetaBot, C:\USERS\USER\APPDATA\LOCAL\TEMP\KGMS71O3A_1.EXE, Quarantined, [8279], [553693],1.0.7403
Ransom.GandCrab, C:\USERS\USER\APPDATA\LOCAL\TEMP\YEQ39WUGUMMW5.EXE, Quarantined, [7985], [583248],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454717],1.0.7403
PUP.Optional.MailRu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [240], [454830],1.0.7403
PUP.Optional.MailRu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [240], [454830],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454742],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454742],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [2], [454822],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454822],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454717],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [2], [454827],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454827],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454822],1.0.7403
PUP.Optional.SearchNu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [387], [492400],1.0.7403
PUP.Optional.SearchNu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [387], [492400],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454742],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [255], [454742],1.0.7403
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
Continue reading...
Then, I thought it to be an update problem, so I opened Windows Update and checked for updates. An error message popped up.
"There were some problems installing updates, but we'll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80070057)"
I followed the steps on this page: https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors
None worked.
At this point I figured something was wrong, so I started a virus scan with Malwarebytes, and indeed, quite a virus report returned (see log below). I removed everything it found, ran CCleaner, restarted and retried the steps above, with no luck. Although Malwarebytes does not detect any more threats, and says it successfully removed findings. it does detect the "Imminent" Spyware logs in %appdata% on every boot-up . Somehow the process flies under the radar.
I tried starting Windows Defender and Windows Update from Services, I get " access denied " for Windows Defender and "error 87: invalid parameter" for Windows Update.
Then I tried editing the registry manually, as instructed here: https://support.microsoft.com/en-us/help/971058/how-do-i-reset-windows-update-components
Both soft and aggressive. Still error 87
At this point I was getting desperate. I backed up my most important files and vent for recovery. To my surprise, no restore points are available, although I know they were. I tried to reset the PC, the reset gets stuck at "Getting a few things ready, it might take a few minutes" for hours. Finally I tried to download windows ISO and try to reinstall windows. To my surprise, I still got an error.
Download Windows 10
Now I have no ideea what it is. I assume it is a virus, judging by the scan report, which I have no ideea how it got into my system and went past WD and Mallwarebytes. And if it is a virus, it is hell of a tanky one, if I cannot detect it and cannot even reinstall Windows.
I have an Asus x555ln, with an Intel i5 processor, x64, came with a preinstalled Windows 7, which I later updated to Windows 10
Malwarebytes
www.malwarebytes.com
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 349448
Threats Detected: 38
Threats Quarantined: 38
Time Elapsed: 12 min, 21 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 6
Trojan.Injector.E, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [3859], [559833],1.0.7403
Trojan.Injector.E, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [3859], [559833],1.0.7403
Trojan.Injector.E, HKU\S-1-5-21-1385932015-1977795828-590748025-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|GOOGLE UPDATER 5.0, Quarantined, [3859], [559833],1.0.7403
Backdoor.BetaBot, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [8279], [553693],1.0.7403
Backdoor.BetaBot, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE|Google Updater 5.0, Quarantined, [8279], [553693],1.0.7403
Backdoor.BetaBot, HKU\S-1-5-21-1385932015-1977795828-590748025-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Google Updater 5.0, Quarantined, [8279], [553693],1.0.7403
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 1
Trojan.StolenData, C:\USERS\USER\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [3598], [250104],1.0.7403
File: 31
Trojan.StolenData, C:\USERS\USER\APPDATA\ROAMING\IMMINENT\LOGS\17-10-2018, Quarantined, [3598], [250104],1.0.7403
Trojan.Injector.E, C:\PROGRAMDATA\GOOGLE UPDATER 5.0\KGMS71O3A.EXE, Quarantined, [3859], [559833],1.0.7403
Backdoor.BetaBot, C:\PROGRAMDATA\GOOGLE UPDATER 5.0\KGMS71O3A.EXE, Quarantined, [8279], [553693],1.0.7403
Trojan.Injector, C:\USERS\USER\APPDATA\ROAMING\MCM.EXE, Quarantined, [628], [558764],1.0.7403
Trojan.Injector, C:\USERS\USER\APPDATA\ROAMING\WUAUCLT\WUAUCLT.EXE, Quarantined, [628], [558765],1.0.7403
Trojan.Injector.DLF.Generic, C:\USERS\USER\APPDATA\LOCAL\TEMP\PUTTY.EXE, Quarantined, [9493], [559834],1.0.7403
Generic.Malware/Suspicious, C:\USERS\USER\APPDATA\LOCAL\TEMP\O97O9OS35.EXE, Quarantined, [0], [392686],1.0.7403
Generic.Malware/Suspicious, C:\USERS\USER\APPDATA\LOCAL\TEMP\POAKBSSY5R5JMHE5ILXZFRYLX.EXE, Quarantined, [0], [392686],1.0.7403
Backdoor.BetaBot, C:\USERS\USER\APPDATA\LOCAL\TEMP\KGMS71O3A_1.EXE, Quarantined, [8279], [553693],1.0.7403
Ransom.GandCrab, C:\USERS\USER\APPDATA\LOCAL\TEMP\YEQ39WUGUMMW5.EXE, Quarantined, [7985], [583248],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454717],1.0.7403
PUP.Optional.MailRu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [240], [454830],1.0.7403
PUP.Optional.MailRu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [240], [454830],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454742],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454742],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [2], [454822],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454822],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454717],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [255], [454717],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [2], [454827],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454827],1.0.7403
PUP.Optional.ASK, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454822],1.0.7403
PUP.Optional.SearchNu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [387], [492400],1.0.7403
PUP.Optional.SearchNu, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [387], [492400],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [255], [454742],1.0.7403
Adware.Elex.ShrtCln, C:\USERS\USER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [255], [454742],1.0.7403
Physical Sector: 0
(No malicious items detected)
WMI: 0
(No malicious items detected)
(end)
Continue reading...