Closed Techsuite ran but system keeps reinfecting

[cpctech 0]

HP EnVY TS 17 Notbook PC

Has an I7 4700 processor and 16 GB ram. This machine should be running real fast.  However it seems to be really slow.  After running a full clean up using Techsuite (which includes EMSI soft removal tools)  I was ready to give it back to the client..AFter a reboot it started running real slow again.  I ran the techsuite software again and removed 17 new items.  The only thing the machine had done was site idle on the internet.

Attached is the EEK report.

The FRST 64 bit would run until I pressed scan, then it would crash. (I verified the machine is running 64 bit windows 10 home)

 

Thanks,

scan_181029-172340.txt

[Kevin Zoll 309]

Let's

See what AdwCleaner turns up.

Download AdwCleaner and save it on your Desktop.

1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
2. Double click on adwcleaner.exe to run the tool.
3. Click on the Scan button.
4. After the scan has finished, click on the Clean button.
5. Confirm each time with OK.
6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop.
7. Attach that log file to your reply.
   NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

[cpctech 0]

AdwCleaner[C00].txt

[Kevin Zoll 309]

OK,

Try running FRST.  If it runs successfully attach the scan logs generated by FRST.  If not, I will have you run RogueKiller.

[cpctech 0]

Tried running FRST and it crashed in the same place (just after pushing scan)  I ran Roguekiller from within Techsuite, then ran FRST, and still have the same result.  I suspect I need the Rogue killer download from you next.

[Kevin Zoll 309]

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

[cpctech 0]

Something is interfering with Roguekiller also.

 

see attached screenshot

[Kevin Zoll 309]

Try the 64-bit Portable version: https://www.adlice.com/download/roguekiller/?wpdmdl=59&ind=aHR0cDovL2Rvd25sb2FkLmFkbGljZS5jb20vYXBpP2FjdGlvbj1kb3dubG9hZCZhcHA9cm9ndWVraWxsZXImdHlwZT14NjQ

[cpctech 0]

Ok.  Sorry it was so long to reply... I had to figure out how to run that w/o having it clean up stuff.

 

It did detect screenconnect.exe which is the software I am using to remote control the machine so that is safe.

 

here is the log

 

RogueKiller_portable64.log

[Kevin Zoll 309]

I don't see anything malicious in the RogueKiller scan.

Please read through these instructions before starting.

1. Create a Windows 10 recovery USB stick: https://www.techrepublic.com/article/be-prepared-create-a-windows-10-recovery-drive/
2. Using the clean machine, download a fresh copy of FRST64.exe that has never touched the 'sick' machine, and copy it to a separate USB stick. DO NOT INSERT THE USB STICK INTO THE 'SICK' MACHINE YET.
3. Once you're ready with the USB stick and the Windows 10 recovery USB stick (yes, two sticks), shut down the sick computer completely. As in shut down power off. Follow the instructions here to boot from the Windows 10 recovery USB stick: https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive
4. Use the Repair -> Troubleshoot -> Command Prompt option within recovery mode. Once there, plug in the second USB stick that has FRST64 on it. Find your USB drive by running notepad.exe, clicking File->Open, then noting which drive says "Boot". Normally that is 😧 or E:, depending on how many drives are in your machine. Either way, we're looking for the USB stick drive letter. You can also find it by typing (in the command prompt) "dir d:", "dir e:" etc. until you find the FRST64.exe program you downloaded earlier.
5. Type "FRST64" to run it. Click the Scan button. Please send the FRST.txt file that it creates. If all goes well, FRST64 will have killed the malware driver, and you'll be able to reboot into normal mode where we can finish the removal.

[cpctech 0]

In trying to review your instructions I recived this on clicking the link for step 3.

craftedflash.com uses an invalid security certificate. The security certificate for craftedflash.com is not trustworthy because the issuing organization failed to follow security practices. Certificates issued by Symantec, including the Thawte, GeoTrust, and RapidSSL brands, are not considered safe. Error code: MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED

I find it odd that Symantec is on the "not trusted" list.

[cpctech 0]

What if I don't have a USB stick that is fresh.  Should I wait until I can travel the 150 miles round trip (this friday) to staples and buy a new one? (We live out in the sticks)

[cpctech 0]

Not to mention now you have me worried, as I have been using a usb stick to nike network files from that machine to my work PC to make these posts.

[cpctech 0]

I ran FSRT64.exe from a fresh download on to a USB I am failrly certain is clean.  I booted into repair on a media creation tool created windows 10 installer usb I created earlier.

Here is what I got.

 

FRST.txt

[Kevin Zoll 309]

I am not seeing any malware in the FRST log.

Try running FRST from normal mode again.

[cpctech 0]

At this point, the client wants their machine back.  I am going to wipe and reload it.

 

Thanks for trying.

 

[Kevin Zoll 309]

Topic Closed