Trojans keep appearing in Window Defender AND weird behaviour

Topic

New Reply

Hi

Had Windows 10 clean installed mid April. It reduced boot time. ran faster and
prevented most crashes. Still trying to bed it in in between major
personal challenges.

Do frequent definition updates and full scans. Details show affected
files in my email {Eudora) current attachment folder or one briefly
used after re-installation, both on drive E.

Extensive Googling turns up what I suspect are removal scans but
nothing on recurring infection without quarantining on arrival.

Worrying intermittent events include:

Can’t update virus definitions (fixed with SLOW system restore)
Trojan showing only once as quarantined before scan (at end of scan with only browser obviously open)
Possible unexpected rebooting.

I wonder if:

Defender removal has been incomplete OR
New notifications are false alarms

Are others having similar issues?

Reply | Quote

Replies

I think a fresh scan would be a good starting point. Try the Panda online USB scanner.

cheers, Paul

Reply | Quote

Thanks fo responding.

I agree an alternate scan would be useful

However I checked the Panda site to be told it uses cookies if you browse or close the page, which concerns me.

What alternate checker is effective and beyond reproach?

And I would like to know of other reports of trojans reappearing.

Reply | Quote

Kaspersky Rescue Disk, perhaps created on another machine.

http://support.kaspersky.co.uk/viruses/rescuedisk

Reply | Quote

Thanks. I’ll try that tomorrow.

Reply | Quote

You think you have a trojan infection but you’re worried by a cookie – sheesh…

Whichever scanner you use, please post the results of the scan(s).

Reply | Quote

Not worried by using cookies but by having them imposed without consent.

Reply | Quote

System requirements only go up to Win 8 and Server 2012 but I think it will be okay to scan Win 10 outside of Windows.

Reply | Quote

May I have a Windows 10 scanning suggestion?

Reply | Quote

#alexamac — When you said,
“Defender removal has been incomplete OR
New notifications are false alarms”
Were you saying that you have removed something using Windows Defender?

You asked, “May I have a Windows 10 scanning suggestion?”.
Other posters have suggested Panda and Kaspersky. If you don’t like either of those, you can perform an online search (Google, DuckDuckGo, etc.) and find several more scanning options available.

And IMHO, since you think you’ve gotten a trojan, to object to the creation of a cookie (which you can certainly delete afterward) is like the old saying about “strain at a gnat, and swallow a camel”. Personally, if I suspected that my computer had a trojan (or any other kind of malware) I’d be very eager to confirm or deny that. (I certainly wouldn’t care about receiving a simple cookie in the process.)

Image or Clone often! Backup, backup, backup, backup......
- - - - -
Home Built: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek HD Audio

Reply | Quote

Defender keeps telling me I have 1 or 2 of 3 or 4. Removes them. They come back. Repeat.

As I said earlier, my objection to Panda is that it essentially tells you that no matter what you do or don’t do it’s going to put a cookie on your computer. I find that alarming as a way to operate. I haven’t heard of them. I am already battling so many challenges that I don’t want to be bothered trying to work out how to remove the cookie at this time.

I am also concerned if Kaspersky is not suited for windows 10. I have heard of them so would be willing to use them.

I have already spent many hours using Google to try to track down what may be going on here and the information is inconsistent or unconvincing. I came to Windows Secrets in the hope that I would get authoritative advice.

I suspect that it could have got in, by my error, during the intense period after I installed Windows 10 In mid April and had to do a full installation of all programs. Generally, I am scrupulous about not clicking on executable files or downloading programs that may be suspect. I update Defender definitions daily and use Malwarebytes Premium.

I am extremely concerned at the idea that I have a Trojan and am looking for a solution.

I particularly come back to my original question: have there been any reports of misleading Defender reports about Trojan viruses?

Reply | Quote

Defender keeps telling me I have 1 or 2 of 3 or 4. Removes them. They come back. Repeat.

As I said earlier, my objection to Panda is that it essentially tells you that no matter what you do or don’t do it’s going to put a cookie on your computer. I find that alarming as a way to operate. I haven’t heard of them. I am already battling so many challenges that I don’t want to be bothered trying to work out how to remove the cookie at this time.

I am also concerned if Kaspersky is not suited for windows 10. I have heard of them so would be willing to use them.

I have already spent many hours using Google to try to track down what may be going on here and the information is inconsistent or unconvincing. I came to Windows Secrets in the hope that I would get authoritative advice.

I suspect that it could have got in, by my error, during the intense period after I installed Windows 10 In mid April and had to do a full installation of all programs. Generally, I am scrupulous about not clicking on executable files or downloading programs that may be suspect. I update Defender definitions daily and use Malwarebytes Premium.

I am extremely concerned at the idea that I have a Trojan and am looking for a solution.

I particularly come back to my original question: have there been any reports of misleading Defender reports about Trojan viruses?

Latest Defender report:

“Category: Trojan Dropper
097M/DOonoff
27/5/2016
Severe

Description: This program is dangerous and installs other programs.

Recommended action: Remove this software immediately.

Items:
containerfile:E:Changing FilesEudora 2016Eudora DataATTACH2015-25-05_0048.docm
containerfile:E:Changing FilesEudora 2016Eudora DataATTACH2015-25-05_797739.docm
file:E:Changing FilesEudora 2016Eudora DataATTACH2015-25-05_0048.docm->word/vbaProject.bin
file:E:Changing FilesEudora 2016Eudora DataATTACH2015-25-05_797739.docm->word/vbaProject.bin”

The ATTACH folder was in use soon after installingWindows 10 but hasn’t been for many weeks. However earlier reports have sometimes pointed to the relevant current folder.

Reply | Quote

All AVs have false positives from time to time, can you access the details from Defender for us to look at?

Reply | Quote

You need to delete the affected emails from within Eudora (those from 2015-25-05 that have those Word Macro attachments) and then clean up the email folder (completely remove deleted items + compress the folder). Close Eudora, use webmail to delete the same infected emails from the server.

I particularly come back to my original question: have there been any reports of misleading Defender reports about Trojan viruses?

All AVs have false positives from time to time

Reply | Quote

I have deleted the most recent files in the attachment folder and the email that they may have come with (the time was out by exactly one hour which could have been an error of time stamping). I couldn’t find any emails with the right time for the previous lot of files so was only able to delete the files in the attachment folder.

I had some information about earlier Trojans but those files were gone from the attachment folders and from the emails.

I have compressed the folders.

My web mail didn’t have any attachment shown for the email I thought the most recent one had come from. Nor were there any emails for the time of the next most recent one. It looks like earlier ones had been deleted by Defender.

This is all on the assumption that they were just coming in at the time stamp of the files rather than being put there by a Trojan downloaded at some earlier time.

I get an awful lot of emails so I would have had to open them all to find out any attachment names and in any case only still have on the server about 10 days worth.

So if the files are just coming in now, then Defender seems to be catching them, by quarantining them until I can do a full scan of the E drive.

Is there any way to check out whether there are some Trojans sitting somewhere ready to come to action every reboot?

Reply | Quote

Your supplied info does not suggest that you have any active Trojan or infection. A Trojan Dropper is like an installer for a Trojan – it ‘drops’ the Trojan once it’s been triggered by opening, in this instance, the Office file containing the macro. If you haven’t opened the attached file, you won’t have an active infection from it.

I can’t think of anywhere trustworthy to download security tools that definitely won’t end up with you gaining a cookie.

Reply | Quote

I opened the word file in explorer today by mistake while I as trying to track the dates. It appeared empty. I closed it. Not happy. That probably hasn’t happened befre

I don’t object to cookies. I just need to know a web site is safe and reliable.

Reply | Quote

According to properties for my backup drive, there are approximately 2 1/2 million files. According to the scan, they have already scanned over 26 million files. Any idea what gives? should I abandon that?

Reply | Quote

I opened the word file in explorer today by mistake while I as trying to track the dates. It appeared empty. I closed it. Not happy. That probably hasn’t happened befre

I don’t object to cookies. I just need to know a web site is safe and reliable.

Reply | Quote

Check your Defender logs again if you’ve opened the file since you gave the previous info.

If I, or any of the other Mods/Admins here in the Lounge, come across a link or software suggestion that is suspicious or unsafe, we remove it. There are also a number of very knowledgeable Loungers who would rapidly report anything suspicious they find as well (see the warning triangle ! on every Post).

There are already two good suggestions here, and for your cookie concerns, I suggest the Free version of SuperAntiSpyware, which is also quite good at detecting other infections.

Reply | Quote

Update wouldn’t complete so I did a system restore to the last good restore point, 22nd May. Update would then complete. I am working my way through full scans on each of my drives. The quick scan showed nothing. Sometimes the scans didn’t complete but it’s possible that I knocked a setting as I was going away from the computer. At the moment I am halfway through the big backup drive which will probably take many further hours. I am removing all of the files previously identified in scans as you suggested.

I have done little else with the computer, other than to use Explorer, have AV files downloaded by a tuner and to watch an AV file using Zoom player and use Mozilla Firefox. Is that safe?

When will it be safe to use Word? Eudora email program?

What else do I need to do, other than to run an external anti-viral check?

Reply | Quote

I’d wait to see what the scans report but when something doesn’t complete, it could be because of a fault on that drive or file corruption.

Have you performed a chkdsk x: /f on those drives to see if it reports any bad sectors, where x is the drive letter of that drive.

Reply | Quote

How can I run “chkdsk x: /f ” in windows 10 or will “error checking” from properties/tools be okay?

Reply | Quote

How can I run “chkdsk x: /f ” in windows 10 or will “error checking” from properties/tools be okay?

When you are ready to do the disk check, with the external drive plugged in and you know the drive letter, open a Command Prompt (Admin) and enter chkdsk x: /f

To access the Command Prompt (Admin) in Win 10 – press the Windows key+x then click on Command Prompt (Admin).

Here are some other methods to run the Command Prompt in Win 10 – http://www.howtogeek.com/235101/10-ways-to-open-the-command-prompt-in-windows-10/

As you aren’t checking C: then nothing will need to be dismounted first which would require a reboot and its report will remain in the command window until you enter exit to close it.

The /f switch only repairs files but will report if it finds any bad sectors.

Reply | Quote

have run defender and Malwarebytes premium over the two attachment files in my email drop I’ve. I removed what they found.

I suspect I should now do check disk on my backup drive so look forward to any advice about that.

And on the rest.

Reply | Quote

Can we see the MBAM and Defender logs, please?

Reply | Quote

Here is what I found: for the latest

mbam-log-2016-05-30 (00-50-23).xml – Invalid File
mpcache-F9B6F05FD86A104CE0BB15D987A879C7F136DAA9.bin – Invalid File

The MBAM finished, finding nothing.

The quicki defender finding nothing.

I aborted each of C, email E and backup L when they had scanned way more the number of files found by explorer, eg over 7m instead of 171,000 in C which is a new 500g SSD.

Were they the right log files?

Reply | Quote

I’m not familiar with accessing the Defender logs.

MBAM > History tab > Application Logs, click the latest Scan Log and Export to the clipboard for pasting into a Reply, or to a text file.

It’s important to have as much detail as possible to be able to get a handle on what’s been going on.

Reply | Quote

MBAM

2016/05/30 00:50:40 +1000
mbam-log-2016-05-30 (00-50-23).xml
yes

2.2.1.1043
v2016.05.29.04
v2016.05.27.01
premium
enabled
enabled
enabled

DESKTOP-L0FVINS
192.168.1.2
Windows 10
x64
Alexa
NTFS

threat
completed
307145
576
0
0
0
0
0
0
0
0

enabled
enabled
enabled
enabled
enabled
disabled
enabled
enabled
enabled

Defender:

Reply | Quote

Defender to follow

MBAM:

2016/05/30 00:50:40 +1000
mbam-log-2016-05-30 (00-50-23).xml
yes

2.2.1.1043
v2016.05.29.04
v2016.05.27.01
premium
enabled
enabled
enabled

DESKTOP-L0FVINS
192.168.1.2
Windows 10
x64
Alexa
NTFS

threat
completed
307145
576
0
0
0
0
0
0
0
0

enabled
enabled
enabled
enabled
enabled
disabled
enabled
enabled
enabled

Reply | Quote

Superantispyware will remove cookies. Update the definitions and do a quickscan or a full scan.
It works well on suspect cookies. Actually your whole problem may be a tracking cookie.
SAS will erase it.

Reply | Quote

Hi

Had Windows 10 clean installed mid April. It reduced boot time. ran faster and
prevented most crashes. Still trying to bed it in in between major
personal challenges.

Do frequent definition updates and full scans. Details show affected
files in my email {Eudora) current attachment folder or one briefly
used after re-installation, both on drive E.

Extensive Googling turns up what I suspect are removal scans but
nothing on recurring infection without quarantining on arrival.

Worrying intermittent events include:

Can’t update virus definitions (fixed with SLOW system restore)
Trojan showing only once as quarantined before scan (at end of scan with only browser obviously open)
Possible unexpected rebooting.

I wonder if:

Defender removal has been incomplete OR
New notifications are false alarms

Are others having similar issues?

Yes, I had a trojan “peals.E!plock” when I upgraded to Windows 10 from Windows 7 Pro.

I would have searched for a solution, but as Windows 10 didn’t appeal to me due to the lack of customisation features, made a lightning fast switch back to Windows 7.

Mike

Reply | Quote

Yes, I had a trojan “peals.E!plock” when I upgraded to Windows 10 from Windows 7 Pro.

I would have searched for a solution, but as Windows 10 didn’t appeal to me due to the lack of customisation features, made a lightning fast switch back to Windows 7.

Mike

Surely you aren’t suggesting that upgrading to Windows 10 produced the infection (are you?).

Image or Clone often! Backup, backup, backup, backup......
- - - - -
Home Built: Windows 10 Home 64-bit, AMD Athlon II X3 435 CPU, 16GB RAM, ASUSTeK M4A89GTD-PRO/USB3 (AM3) motherboard, 512GB SanDisk SSD, 3 TB WD HDD, 1024MB ATI AMD RADEON HD 6450 video, ASUS VE278 (1920x1080) display, ATAPI iHAS224 Optical Drive, integrated Realtek HD Audio

Reply | Quote

Surely you aren’t suggesting that upgrading to Windows 10 produced the infection (are you?).

The trojan was not on my Windows 7 Pro before the upgrade.

Prior to the upgrade, I used CCleaner to clean out all Temp folders.

After the upgrade to Windows 10, Windows Defender notified me about the trojan and pointed to the Windows Temp Folder. ZoneAlarm also notified me that a file in the same folder was trying to communicate with a Yahoo site.

FYI – there was only 1 file in the Windows Temp folder.

You can draw your own conclusions from the above – but in my opinion – as the trojan was found immediately after the upgrade, I can only assume that it had something to do with the upgrade.

Mike

Reply | Quote

You can draw your own conclusions from the above – but in my opinion – as the trojan was found immediately after the upgrade, I can only assume that it had something to do with the upgrade

That’s an extremely long bow. More likely you already had the trojan when you started the upgrade and it had compromised your system to prevent reporting. Windows 10 re-configured your system and exposes the trojan.

cheers, Paul

Reply | Quote

The trojan was not on my Windows 7 Pro before the upgrade…

Yeah, and the cow really did jump over the moon.

Clearly the improved security in Win10 identified the trojan that your previous Win7 & security software had missed.

Reply | Quote

Took computer to my computer shop Monday, back today, disinfected. Still doing chkdsk

Could read lounge on android but couldn’t see how to sign in and post.

Reply | Quote

Defender is 5 hours into a full scan of the E internal drive showing about 15% completion and 2.5 m files scanned.

Explorer shows about 150,000 files as does chkdsk (22 different). chkdsk shows no bad sectors.

Can anybody clarify?

Reply | Quote

This is the first time you’ve mentioned the Windows temp folder, previously you said the malware was within Eudora?

Looking through this thread it would appear that you were receiving emails that had malware in attachments and Defender was picking those up.

I went through a phase a couple of months back when Defender was notifying me almost on a daily basis that it had found malware. Turned out that an old email account was the target of malware laden spam and Defender was catching the attachments. Note that I hadn’t opened any of the emails, the virus files were deep within Outlook temp files and cleaned there. The rate of notification gradually died down as my email providor got better at stopping the emails.

Reply | Quote

alexmac, Try using MBAM from safemode, it may find more nasties that way.
http://windows.microsoft.com/en-us/windows-10/start-your-pc-in-safe-mode#

Also, you should create a Windows Defender Offline disc and boot from it to do a thorough scan before windows loads. This next link will help you make the disc or flash drive. Good Luck. Washburn59
windows.microsoft.com/en-us/windows-10/start-your-pc-in-safe-mode#

Hi

Had Windows 10 clean installed mid April. It reduced boot time. ran faster and
prevented most crashes. Still trying to bed it in in between major
personal challenges.

Do frequent definition updates and full scans. Details show affected
files in my email {Eudora) current attachment folder or one briefly
used after re-installation, both on drive E.

Extensive Googling turns up what I suspect are removal scans but
nothing on recurring infection without quarantining on arrival.

Worrying intermittent events include:

Can’t update virus definitions (fixed with SLOW system restore)
Trojan showing only once as quarantined before scan (at end of scan with only browser obviously open)
Possible unexpected rebooting.

I wonder if:

Defender removal has been incomplete OR
New notifications are false alarms

Are others having similar issues?

Reply | Quote

Maybe it keeps re-starting the scan?
Try an offline scanner – Panda, Kaspersky etc.

cheers, Paul

Reply | Quote

Offline scanner was used by my computer guy and supplied. I’ll try it again.

Actually, the running scan may be of drive c 40 gb 175,000 files.

After 12 hours shows 6m items scanned, 45% completed, so restarting would have to have been planned. Will stop.

Also, shows “preliminary results show possible malicious …” but don’t show in history when I switch over.

Machine running slow.

will also chkdsk c.

This is all weird.

How do I login from android?

Reply | Quote

“How do I login from android?”

More information please.

cheers, Paul

Reply | Quote

It took me ages to work out how I could even sign in to the lounge from my android smartphone. But I couldn’t work out how to reply on the phone. This is a brief connection to update my issues then I will have to revert to the phone. I need someboedy to explain if it is possible to reply if signed in on a phone or give me an email adddress I can pass a message through.

I got my windows 10 computer back from my computer company. I was told it was virus free. However, it continued to be weird: including not updating Defender definitions, not finishing scans, showing possible malware but not saved for fixing. I tried to redo the virus checker but couldn’t reset the UEFI BIOS to boot from a USB.

The USB scanner I was given was by AVAST. I did manage to change the intel BIOS on my old windows 7 laptop to boot from the USB. It ran and found over 3000 items and 2 seemed to be left. No useful information. When I re-ran it it found just under 3000 and no others.

However, it has since updated MSE definitions and passed a full scan then not completed updating. This is similar behaviour to the desktop.

I am not using the desktop and will stop using the laptop after I send this. THAT IS WHY I NEED TO KNOW HOW I CAN ENGAGE IN THIS FROM MY ANDROID PHONE.

I did chkdsk on the desktop. Internal drives were okay. One of three external drives showed 128 kb bad sector. Only weird behaviour is that I have to reinsert and wiggle the USB from time to time.

Now the technician is off sick.

I would like to know how I can be sure that it is safe to use either machine without hurting any of my data.

It may be difficult to get a kaspersky recue disk but is that the only viable way forward now?

Reply | Quote

I was asking one of my sons on Saturday to see if he could log into the forum on his android phone, but after scrolling to the bottom and clicking on Full Site then on Lounge, it only gave the log on to the Windows Secrets account with a prompt for the email etc.

Do you have any of the external HDDs plugged in when you are getting these ?

You can download and create the Kaspersky disk in Safe Mode with Networking – you can also download and run the ESET Free Online Scanner in that mode as well.

http://www.eset.com/us/online-scanner/

Check the two boxes then click on Advanced and check any additional boxes, but I don’t think you need to include the one for Proxies and including Archives can prolong the time the scan will take.

A Kaspersky scan on my lightly loaded Win 7 laptop took about 9hrs, so depending on what you have loaded – this could take considerably longer but it will be thorough.

Have you thought of using a different AV program as you could be getting some false positives…

Panda Free Anti Virus has come up through the rankings of late and may be one to consider.

http://www.majorgeeks.com/files/details/panda_cloud_antivirus.html

Reply | Quote

I’ve just tried on my Android tablet, with Chrome. Went to the lounge and logged in via the login at the top. Tried on my phone and got in OK then as well. A bit fiddly because of the small size, but zooming in helped.

Sudo – not sure what you meant by clicking on full site.

Eliminate spare time: start programming PowerShell

Reply | Quote

On my son’s phone after he did the http://www.windowssecrets.com and got the home page, he scrolled down to the bottom where there was a blue link for Full Site which then gave him the menu bar to select Lounge.

What about the rest of my last post ?

Reply | Quote

On my son’s phone after he did the http://www.windowssecrets.com and got the home page, he scrolled down to the bottom where there was a blue link for Full Site which then gave him the menu bar to select Lounge.

What about the rest of my last post ?

Ahh, I see it now. I had gone straight to the lounge. Looks like Alexmac has difficulty with typing on his phone.

Eliminate spare time: start programming PowerShell

Reply | Quote

THANKD.

Using Chome got me logged in ANX offered a reply go thfead. Yippee.will look at the rest tlmorrow when I9i can read the timy ptint.

Als the external drive with the bad se tor was out of tio. Duri g prlblems.

Reply | Quote