Jump to content

A Malacious tool that returns after every clean up


Recommended Posts

Hi all,

 

I am using Kaspersky internet Security paid version on my Windows 10 PC. The details of the my OS and Kaspersky version are as under:-

Kaspersky internet Security Version 21.3.10.391 (h)

Operating system: Windows 10 x86 Build 19043

For the past 1 month, I am facing a strange problem in my PC. Every day, when I starts my PC, I get a

Popup message from Kaspersky saying something like this :-

##################################################################

Malacious Tool detected

We recommend that you close all running programs and save your changes before the compuer restarts.

Detected: Hacktool.Win32.Remoxec.c

Location: C:\Windows\gaMkpwZe.exe

#####################################################################

Then I am advised to Disinfect and restart the computer.

Kindly see the screenshots of the message.

 

Now the strange thing is that after I clean the threat and restarts my PC, all seems to work well for the day. However, next day whenever I switch on my PC, the same warning popup reappears with the detection of a different hacktool.

Kindly see these 3 screenshots of these popup messages which have appeared during the last 1 month.

 

 

 

And this is occurring everyday.

 

Every day

- I am getting this warning message,

-I am cleaning the hacktool using Kaspersky,

I m  restarting my computer, work for some time and

-next day the same error with a different message reappears !

 

It seems that Kaspersky is either unable to remove the threat completely or there is some loophole in my computer which is letting the malicious tool an entry every day.

I tried to run Malwarebyte also in the hope that it will remove the tool permanently. However, the same problem is occurring with it also. It removed the tool for one day and on the next day it appeared again.

 

Kindly help as it is bothering me too much.

Link to comment
Share on other sites

Hello @Shekhar

Welcome back!

  • ❓ Is there any ‘crack/pirated’ software installed? 
  1. Run system in Safe Mode, clear all files & folders in:

    C:\Windows\Temp

    C:\Users\USER\AppData\Local\Temp   -   USER = your name or the name of the user account on the computer

    Return to normal mode & continue with the following:

     

  2. Read & follow instructions from Moderator @richbuff 

Link

  1.  Read & follow instructions from @Danila T.  Link
  2. See, similar topic, The New Trojan which kasper couldn't do anything till now, answered by @Moderator @Caos, if the above 1. to 3. do not resolve the issue, log the issue with Kaspersky Support, they may request logs,  traces & other data, they will guide you. 

Please let us know the outcome?

Thank you🙏

Flood🐳 +🐋

Link to comment
Share on other sites

@Flood and Flood's wife
Thanks for your helpful advice.

No pirated software is installed to the best of my knowledge.

I did the step 1. Restarted the system in safe mode and remove all temp files.

Then did Step 2: Run a Kaspersky Scan and found no error.

Did Step 3 also :But it is impossible to run a full scan. In 150 minutes , not even 1% of the files could be scanned by the Kaspersky. Run the Kaspersky 2-3 times and restarted the PC as per its advice.

 

Step4: The problem seems very similar to the problem mentioned in Step 4. However, i am unable to find any workable solution for it in the given link.

No error has returned as of now. However. only tomorrow, any final conclusion can be drawn.

 

@Berny 

No. As of now, no malicious object is visible in the process explorer ( Microsoft Sysinternals) .

The text file of the explorer is attached for your reference.

 

I shall update he position tomorrow if any pop up reappear.

 

Regards,

Shekhar

 

Link to comment
Share on other sites

Hello @Shekhar

Thank you for posting back & the information!

Thank you🙏

Flood🐳 +🐋

Link to comment
Share on other sites

@Flood and Flood's wife 

Before you installed KIS, did you ever check the List of applications incompatible with Kaspersky Internet Security?

 

Yes, I did and made sure that no other conflicting program is installed. The Malwarebyte has been installed only 1 months ago to deal with this problem (but to no effective use as the malware is coming back again and again)

 

I will try to do a full scan tomorrow. Can give it max 12 hours due to my office hour restrictions.

@Berny 

Thanks for the link, I shall see if the full scan can be speed up.

By the way, the pop up has returned with a new .exe file :

Right time to contact official support, I feel.

 

Regards,

Shekhar

Link to comment
Share on other sites

  • 2 weeks later...

@Flood and Flood's wife

Before you installed KIS, did you ever check the List of applications incompatible with Kaspersky Internet Security?

 

Yes, I did and made sure that no other conflicting program is installed. The Malwarebyte has been installed only 1 months ago to deal with this problem (but to no effective use as the malware is coming back again and again)

 

I will try to do a full scan tomorrow. Can give it max 12 hours due to my office hour restrictions.

@Berny

Thanks for the link, I shall see if the full scan can be speed up.

By the way, the pop up has returned with a new .exe file :

Right time to contact official support, I feel.

 

Regards,

Shekhar

Hello, @Shekhar 

It seems you have infected a trojan-dropper or trojan-download type malware. So you should check the system boot object first using Autoruns tool. After run this tool, you need take attention to those red line object whether you know it or not. If you don’t know it, Please tell us the object name and file path.

 

Link to comment
Share on other sites

@Wesly.Zhang 

Thanks for your suggestion. I have lost all hopes of ever resolving this issue. Still, I want through and did the scanning using Autoruns tool suggested by you. Here are the result:-

##############################################################

ShareMouseCredentialProvider    Support for remote user login    (Not Verified) BartelsMedia GmbH    smcp.dll    Wed Aug 30 14:16:42 2017   

DSC Signer Service        (Not Verified)     C:\Program Files\DSC Signer Service\DscSignerService.jar    Mon Apr  8 09:50:04 2019   

Folder Size    Folder Size Window    (Not Verified) Brio    C:\Program Files\FolderSize\FolderSize.exe    Wed Feb 13 00:36:48 2013   

DBRMTray    DBRM_Toaster    (Not Verified) Dell Computer Corporation    C:\Dell\DBRM\Reminder\DbrmTrayIcon.exe    Wed Mar  9 03:22:08 2011
   
Folder Size column    Folder Size column handler    (Not Verified) Brio    C:\Program Files\FolderSize\FolderSizeColumn.dll    Wed Feb 13 00:36:46 2013   

FLEXnet Licensing Service    FLEXnet Licensing Service: This service performs licensing functions on behalf of FLEXnet enabled products.    (Not Verified) Macrovision Europe Ltd.    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe    Wed Nov  8 13:28:11 2017   

Intel(R) Security Assist    Intel(R) Security Assist: Security Helper    (Not Verified) Intel Corporation    C:\Program Files\Intel\Intel(R) Security Assist\isa.exe    Tue May 19 09:11:00 2015   

isaHelperSvc    Intel(R) Security Assist Helper: Security Helper    (Not Verified)     C:\Program Files\Intel\Intel(R) Security Assist\isaHelperService.exe    Tue May 19 09:11:04 2015   

Xcyk    Xcyk:     (Not Verified)     C:\WINDOWS\KNQqAVoL.exe    Thu Mar 10 16:31:08 2022   

klids    klids: Network Processor [fre_win10_x86]    (Not Verified) AO Kaspersky Lab    C:\ProgramData\Kaspersky Lab\AVP21.3\Bases\klids.sys    Tue Feb  8 14:10:30 2022   

tap0901    TAP-Windows Adapter V9: TAP-Windows Virtual Network Driver (NDIS 6.0)    (Not Verified) The OpenVPN Project    C:\WINDOWS\System32\drivers\tap0901.sys    Wed Nov  5 18:46:26 2014   

################################################################

 

Kindly see if it reveals something.

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share



×
×
  • Create New...