I've reinstalled Win10 4x, but the VIRUS keeps coming back!

[MohawkADE]

For the last couple of months, I've been plagued with a couple of Trojan Horses, paired with what appears to be some sort of miner. It wrecks Windows Defender, Update along with any 3rd Party Antivirus program. So I've gone with the scorched earth approach of reinstalling my OS, but then it would pop back up a week later.

 

In my investigations, I've traced a potential source towards a suspicious email in my inbox with an attachment that sets off all the red flags. And while I am not in the habit of downloading fishy attachments, apparently it seems the "Microsoft Mail and Calendar" app is.

 

So I deleted all traces of that message and reinstalled my OS one more time and guess what? It's back! Dunno what I'm missing as I am deep scanning my whole PC every time and getting an all clear from my Anti-Virus.

 

I am currently at a loss of options because I don't know where this damn Trojan is hiding and I'm hesitant to do another reinstall on account of the time & productivity cost involved.

 

Any tips?

[Tomthehitman]

What are you scanning with to confirm you have a virus? Surely you would need to actually download the virus from the attachment and run it for it to be able to install on your PC, it can't just infect it from being on an attachment as far as I know.

 

Are you using any other hard drives on the PC or removable media that could of been infected and are passing it back over to your PC?

[Windows7ge]

Do you run or re-install any software that you acquired from a sketchy site? Do you use any cracked software/games/etc? You can start by not installing any of those when you re-install.

[Kilrah]

What are you installing on your PC after Windows? Likely one of those things is what's infected.

[TempestCatto]

Install your programs one by one, and after each one, run a virus scan to verify which one it could be.

[NZKshatriya]

Quick question:  HDD or SSD?

[NZKshatriya]

Reinstall the OS, do not install any non kosher software.  See if that works.

If that doesn't do it, and you are using spinning media............boot sector virus?

[MohawkADE]

2 hours ago, Tomthehitman said:

What are you scanning with to confirm you have a virus? Are you using any other hard drives on the PC or removable media that could of been infected and are passing it back over to your PC?

AVG-Free is the 3rd Party Anti-Virus I use, it seems to catch whatever gets loaded into the OS after Windows Update and Defender get destroyed but not before. Otherwise ALL Internal and External Hard Drives have been DEEP scanned before and after an OS Reinstall and have come up clean (according to AVG-Free). Not familiar with Trojan types, so I've attached a screenshot.

2 hours ago, Tomthehitman said:

Surely you would need to actually download the virus from the attachment and run it for it to be able to install on your PC, it can't just infect it from being on an attachment as far as I know.

I would have though so too, until I found that attachment on my Hard Drive in a place where Microsoft Windows and Mail downloaded a bunch of other email attachments. But since the problem has emerged after deleting the suspicious email and attachment off both my Inbox and Hard Drive, I am currently looking toward other potential viral sources.

 

2 hours ago, Windows7ge said:

Do you run or re-install any software that you acquired from a sketchy site? Do you use any cracked software/games/etc? You can start by not installing any of those when you re-install.

I own some, though I've always been in a habit of thoroughly scanning them before use (all suspicious program and their installers currently on my system, scan clean). Never had any problems until now so I will be giving some of those programs a pause for critical assessment on my next reinstall.

 

1 hour ago, NZKshatriya said:

Quick question:  HDD or SSD?

M.2 SSD for OS 

3 HDDs for Programs and Backups, 2 SSDs for Games and Cache

[Kilrah]

Are you newly downloading your programs (browser, antivirus etc) from the correct source websites after installing?

This sounds like junk that gets into "sponsored links" when you search for "download chrome" and pick the first result without looking instead of actually downloading from Google.

[MohawkADE]

3 minutes ago, Kilrah said:

Are you newly downloading your programs (browser, antivirus etc) from the correct source websites after installing?

This sounds like junk that gets into "sponsored links" when you search for "download chrome" and pick the first result without looking instead of actually downloading from Google.

Yes, all downloaders & installers are from their respective websites. At this point I have a collection of them at the ready to streamline the next reinstall.

 

2 hours ago, TempestCatto said:

Install your programs one by one, and after each one, run a virus scan to verify which one it could be.

I ran deep scans on all installers and program both pre-infection and post-infection, they've come up clean. I am suspecting something more inconspicuous, so I'll be taking some advice to withhold installing anything REMOTELY sketchy after a clean OS install and then see what happens after a 1 - 2 week period (time it take before the virus reemerges).

[Windows7ge]

2 hours ago, MohawkADE said:

I own some, though I've always been in a habit of thoroughly scanning them before use (all suspicious program and their installers currently on my system, scan clean). Never had any problems until now so I will be giving some of those programs a pause for critical assessment on my next reinstall.

If you have extra drives connected I would also try disconnecting those. It's possible your extra drives got infected and they're just re-infecting the system on every re-install.

 

You can also try introducing a new drive in the chance case this is a firmware level virus that can't get removed by nuking Windows.

[TempestCatto]

Are you sure it's not something else connected to your network? Worth a check.

[homeap5]

First of all - as you see, reinstalling system, clean install etc. don't work as you expect and these viruses are still coming back.

You should focus now on findng and removing them instead of destroying your system.

 

First of all - make sure that they're really viruses, not some false positives. Use VirusTotal to scan these infected files.

If you think that your email client is not safe, use alternative one - for example great eM Client.

 

Attachments do not execute themselves. Virus is executable too and must be activated somehow, so it's not just attachments, but maybe some script in email that activates virus. But I really doubt it. I bet that your email client just receive the same emails using IMAP protocol, so your computer downloads the same viruses again and again.

 

Most important - check if you're REALLY infected. Your AV software find a virus in file - that is normal if file is infected. But that DOESN'T MEAN your computer is infected. Virus, as any other program, must be executed SOMEHOW. Then it will infect your system. Antivirus software doesn't care if virus is active (running) or not. It detect virus and warn you. That doesn't mean anything in fact. I can send you (theoretically) 200 viruses in email attachments and you'll be safe (until you start executing them), but AV software will alert you, because it scans files, not check if they're activated.

 

If you want more help in this case - pm me.

 

[Kilrah]

1 hour ago, homeap5 said:

Most important - check if you're REALLY infected. Your AV software find a virus in file - that is normal if file is infected. But that DOESN'T MEAN your computer is infected.

The files are in System32 and searches points out they are indeed fom viruses so it means the virus did get installed.

[homeap5]

18 minutes ago, Kilrah said:

The files are in System32 and searches opints out they are indeed fom viruses so it means the virus did get installed.

So hard problem needs hard software to find and destroy it.

As I see, some AV actually detects it, so it should be not a problem. If they're quarantined it means AV works.

BUT in first post I see that this trojan blocks defender and some other tools.

For hard to find/destroy viruses I recommend program with not so good reputation, very underrated, but great (many times found problem/virus even when any other software doesn't, including VirusTotal engines). It's SpyHunter. Sure, it's annoying, wants money if you want to remove viruses, but if you're experienced user, it's very good detection tool. It shows you all infected registry entries, files etc. and you'll be able to localize and delete them manually. If you know how to do it.

 

Generally fighting viruses is something that needs some experience and extra tools (for removing protected files, for removing protected registry keys, for killing protected processes etc). Sometimes even speed is required (some trojans uses few processess to keep itself alive - and trick is to kill them all before they start each other again). Few months ago I saw even trojan that protect itself using only single process - but when you tried to kill it, or using other program to kill it or remove file, it crashes that program. Interesting case that I finally solved remotely, but it was really annoying. Anyway, there is no need to destroy everything every time virus is in your computer (well, you can format your whole computer and every drive, but It looks like worse solution than virus itself).

[NZKshatriya]

20 hours ago, Grumpy Old Man said:

First, is the windows installation media "legal" or downloaded from some pirate site ???

THIS....I can't THIS!!!! enough.

Get a clean ISO from the official Microsoft website, and use that to reinstall.

 

[MohawkADE]

FINAL FOLLOW UP:

 

I've reinstalled Win10 (sourced from Microsoft) with all (legit) programs and restored my files and preferences. Another virus scan for sanity's sake and then I cloned my OS, keeping it as a quick-backup option in case of another emergency.

 

After that, I disconnected myself from my router and began a hunt for the source of the virus. Using my cloned OS as bait, I intentionally reinstalled some of the pirated programs, one by one. After each install, I boot the program at least once, close it and then set the date past two weeks into the future and reboot (in an attempt to prompt this particular virus out in the open). With all those installs, only one showed suspicious behavior. After running through the previously mentioned steps, my PC made an unprompted reboot after the previous one. When the OS came to, Windows defender, update and my Anti-Virus were gone.

 

"Ah ha! Gotcha ya little $#!T"  I deleted that program and it's installer, restored the Cloned OS, tested the remaining suspect software to no additional red-flags.

 

While thankfully this virus only seemed to only be interested in using my PC to mine crypto rather than target my files, part of me wonders if that was just a first phase of a more sophisticated multi-staged attack. I can only speculate as cyber-security isn't my professional discipline, but through this experience, I've developed a better understanding and appreciation for it. And though the final solution I developed may be a bit overzealous for most use-cases, having these options at-the-ready certainly helps me sleep better.

 

Thank you for all of your insightful input!

[TempestCatto]

1 hour ago, MohawkADE said:

I deleted that program and it's installer

What program and where did you download it from? Glad you figured it out though.

[MohawkADE]

21 hours ago, TempestCatto said:

What program and where did you download it from? Glad you figured it out though.

Don't want to out myself on WHAT program I torrented, so I'll just say it's one of the more prominent programs for media production.

 

Though I will mention that THIS particular download lacks comments and comes from an unverified host, despite it's high seed count. Something to keep in mind if you're navigating the same murky waters.

 

YARR!

[Tomthehitman]

15 hours ago, MohawkADE said:

Don't want to out myself on WHAT program I torrented, so I'll just say it's one of the more prominent programs for media production.

 

Though I will mention that THIS particular download lacks comments and comes from an unverified host, despite it's high seed count. Something to keep in mind if you're navigating the same murky waters.

 

YARR!

 

Please if you are going to torrent at least get onto a private tracker, they're not that hard to get into and are 100x better than using the public well known ones (for this exact reason)