Every test or every AV software program will have:
False positives
False negatives
True positives
True negatives
Accuracy
This is Cyberreason marketing:
How Cybereason keeps false positive rates low
AV-Comparatives False Alarm Test - AV-Comparatives
https://www.av-comparatives.org/wp-c..._201709_en.pdf
I do a backup every night with Macrium. But I'm sure all it has done is backup the virus also, so these backup are unlikely to be of any use.
The only one I did not try that is on your list is Zemana. Their reports all either came up blank or found some PUPs, potentially undesirable programs.
When I burn a CD and run the AV scan outside of Windows, Bitdefender and others found a few files they wanted to delete but could not do it because they gave me a message saying Win 10 has locked them out of deleting any files. I think this is only happening with the new Win 10 Creator's Update. I don't know how to get them to have the permission to delete these files. If anyone knows how to do this, I will run the Bitdefender CD again and hope it will be able to nuke this highly irritating virus!
Todd, as zbook says, if you have any of the logs from the AVs you ran, they may be helpful for us.
Based on your description of what happened as a trigger, and what keeps happening, I tend to think that perhaps a fileless infection with a rootkit has gotten in. But I also wonder if maybe you aren't overdoing it with protection, and causing conflicts as well. Here are some of my recommendations:
Based on your FRST logs,
uninstall IOBIT (not a trustworthy company)
Update Ccleaner
update Firefox
uninstall Malwarebytes Anti-Exploit if you have a standalone version installed.
Unless you absolutely need these for something in particular, get rid of them:
Adobe Air
Adobe Flash
Adobe shockwave player
Java
Silverlight
Microsoft Office Professional Edition 2003 (use Libre Office Free instead)
You have BitDefender AntiRansomware and CyberReason RansomFree installed. Could this be a conflict?
And those files you see being created are probably the honeypots from CyberReason.
Malicious Software Removal Tool from MS is disabled:
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
System Restore is disabled:
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <==== ATTENTION
CoreTemp Program - OK:
R3 ALSysIO; C:\Users\Todd\AppData\Local\Temp\ALSysIO64.sys [35320 2017-10-16] (Arthur Liberman) <==== ATTENTION
Now, Poweliks was one of the first fileless infections, and has been developing over the years. Have a read of these instructions from Symantec. They have steps to perform, in that order. One thing for you though, is this CoreTemp program, which runs ALSysIO64.sys from your user profile temp folder. You don't want to remove that file, or the program won't work:
Remove Trojan.Poweliks from your computer
Another fileless infection making the rounds right now is Kovter:
How to remove the Kovter Trojan (Removal Guide)
Another thing you might try is booting to Kyhi's custom rescue media, and running Malwarebytes Antimalware from there. Malwarebytes (MBAM) is able to detect malicious registry entries related to fileless infections. Be sure to update the definitions before running it, and check the box to detect Rootkits as well. Then do a Full Scan of the OS drive.
Windows 10 Recovery Tools - Bootable Rescue Disk - Windows 10 Forums
I am not seeing anything obvious in the FRST logs, which makes me think there is a conflict with your installed anti-ransomware programs. If the link in the suspect email took you to a web page that delivered, say, an Angler exploit kit, it's quite possible you got a fileless infection. It's also possible that this put your anti-ransomware programs into action, and the conflict began, and has continued.
Again, if we could see the logs from the other av scans you ran, it may help us pinpoint something. On the other hand, sometimes a clean install is the best resolution. At this point I cannot suggest a solution - there's just not enough information to identify the best course of action.
Just a thought: Since you have daily Macrium backups, why not disconnect your backups and data drives (to keep them safe), and let the supposed malicious injected-explorer.exe file run, and see what happens? The image(s) can always be restored and you'll be back to where you started. At least, if it does really encrypt, we can get the ransom note and file extensions, and identify the particular infection you have, so we can determine how best to clean it.
I've got an expert friend who is going to take a look at my system, hopefully tomorrow. I'm hoping he can fix it. He's in his 50s and has been doing this sort of thing for years now,
I will definitely let you folks know what he finds. :)
My friend has come to the same conclusion you folks did. This is just Cyberreason putting "bait" folders on each hard drive and when I delete them, it springs into action and stops it happening.
So this thread is almost certainly solved.
Thanks a million all you folks who lent a hand! I hope I can help you out in the future! :)
Quote
