Solved Trojan found on new PC

Hi,

Yesterday I opened a folder in my downloads that I didn't recognise and immediately got a pop-up alert saying it was suspicious. Windows security was saying it was a trojan. I did manage to take a pic of it and it said it was called Trojan:MSIL/AgentTesla.HB!MTB. The Status was 'Active' and it said it it was 'Severe.'

After running the Full scan in Windows Security, it was still there. But I noticed more in the list. Some of them, it let me perform the remove action. But that main one I mentioned I think that is the one that was hanging around.

So after doing a bit of looking online I came across this article:

Basically it said it keeps the scan records in Protection History in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service and by deleting that folder it will stop Windows Security from showing the threat over and over again.

I did that and it seemed to have worked. Virus and threat protection now shows no red exclamation marks and is all green checkmarks. But what I wanted to ask people here - is it really gone from my system and am I safe now? I was actually planning a full system wipe until I found this article. So keen to hear what people have to say about it.

Am I being too paranoid to think any of my details have been stolen and are not in the hands of these snakey little hackers? Any help will be greatly appreciated.

Thanks

I don't like sending people away to other sites, but after googling that trojan name, I think you should get expert help with this one; Bleeping computer has trained folks that specialize in removing malware like this, I think you would be safer asking for help there.

Hi there

can I also make a suggestion here too .

It's a bit more complex but I've found that this method has worked for all sorts of virus removals - especially the persistent kind.

I had to remove a particularly nasty one from someone's computer after he'd obviously tried a Pirate copy of Office2021 and was using one of those "KMS" things to activate it. Deleting the appropriate folder didn't work since a few minutes later the threat would re-appear even after uninstalling the rogue version of Office 2021.

Ensure you have a bootable Virus free copy of Windows available. Then run Windows defender FROM THAT (AND NOT THE INFECTED) machine multiple times against specific individual folders on the infected machine. The virus might be in one of the "hidden" system folders under your user id which WD might not be able to get a "lock" on to remove the problem if you run WD on the infected machine.

Again just time consuming but you can make a bootable stand alone Windows system by creating a vhdx file on an external drive, using DISM /APPLY-IMAGE to install from an ISO and run bcdboot to create the boot loader on the external device.

Don't bother activating that system if it shows not activated. All you want to do is to have an independent system to run WD from. Having a bootable windows system on an external device is a useful tool in any case so it's worth it IMO to spend a bit of time doing it even if it takes several goes,

Note also you can still bypass the "Sign on with an Ms account" when installing windows this way -- just enter nobody@nobody.com as the Ms account name and any password you like e.g Boll-cks" and you'll get the next screen to continue the set up process.

If you don't have an ISO get one from UUPDUMP. Any recent version will do.

You don't need to mess around with 3rd party stand alone Virus removal tools whether paid for or otherwise for this purpose.

And a warning to others -- beware of some copies of Office 2021 doing the rounds - those Pirate copies are usually riddled with really hard to remove "Nasties".

Cheers
jimbo

Thanks for the replies guys. @jimbo45 thanks for the process, that is something that could come in handy in the future. But for now though, I am probably fine now as is?

I do not want to wipe or jump through loads of hoops if I do not need to. The are no reports of dodgy going on, according to Windows Defender ald also Malwarebytes.

@z3r010 thanks - but it looks like the thing is removed now. You are just suggesting this if I couldn't remove it, right?

RedLad said:

Thanks for the replies guys. @jimbo45 thanks for the process, that is something that could come in handy in the future. But for now though, I am probably fine now as is?

I do not want to wipe or jump through loads of hoops if I do not need to. The are no reports of dodgy going on, according to Windows Defender ald also Malwarebytes.

@z3r010 thanks - but it looks like the thing is removed now. You are just suggesting this if I couldn't remove it, right?

Click to expand...

Thanks for your feedback --really appreciate it when trying to help people they answer instead of just disappearing into thin air.

Glad it all works for you -- perhaps mark thread as solved !!

Cheers
jimbo

jimbo45 said:

Thanks for your feedback --really appreciate it when trying to help people they answer instead of just disappearing into thin air.

Glad it all works for you -- perhaps mark thread as solved !!

Cheers
jimbo

Click to expand...

Ah yeah, always good to try and reply to people if possible. I have found the people on here are very helpful.

Knowing my luck I will hit mark as solved and then the virus will raise its head again and ruin my PC

In general if there are all green checkmarks in Windows Security, all can be thought of as being OK now? I just want peace of mind!

RedLad said:

In general if there are all green checkmarks in Windows Security, all can be thought of as being OK now? I just want peace of mind!

Click to expand...

I make backups of clients' data when working on their machine and sometimes in the process of deleting or cleaning up drives used I will have Windows Security hit upon an infection that supposedly didn't exist in the past. It would appear that over time as the Definitions are updated to add new information about older unwanted programs so it really keeps us alert.

RedLad said:

In general if there are all green checkmarks in Windows Security, all can be thought of as being OK now? I just want peace of mind!

Click to expand...

Berton said:

... I will have Windows Security hit upon an infection that supposedly didn't exist in the past.

Click to expand...

@OP I suggest you keep scanning regularly beyond what Windows Security does but you still can't be positive that you are malware-free, even if there had been no apparent infection to begin with ... at some point you will have to be content with that kind of 'no threats detected' status rather than achieving a 'your device is squeaky clean' status, nobody and nothing can give you the latter kind of assurance.

True, that's a bit paranoid, but the facts that @Berton (and others) regularly toss up are difficult to escape from ...

Edit: I am not discouraging you from seeking reassurance from Bleeping Computer if you are so inclined, they are excellent.

I have been trained in Malware removal including Trojans, this i have been doing for over 20 yrs. So if you need help please run this program & tell me the results !

Malwarebytes AdwCleaner >>> Download AdwCleaner

Please download AdwCleaner and save it to your Desktop
* Close all open programs and browsers
* Right click on the icon and select Run as administrator
* Click Scan now
* Allow the program to Quarantine what it finds except for Pre-installed applications if you would like to keep those or other entries you would like to keep
* When completed click View Scan Log File
* Copy and paste the contents in your reply
* Click Skip Basic Repair if it appears then close the program

====================================

RougeKiller >>> Download RogueKiller

Thanks !

flashh4 said:

I have been trained in Malware removal including Trojans, this i have been doing for over 20 yrs. So if you need help please run this program & tell me the results !

Malwarebytes AdwCleaner >>> Download AdwCleaner

Please download AdwCleaner and save it to your Desktop
* Close all open programs and browsers
* Right click on the icon and select Run as administrator
* Click Scan now
* Allow the program to Quarantine what it finds except for Pre-installed applications if you would like to keep those or other entries you would like to keep
* When completed click View Scan Log File
* Copy and paste the contents in your reply
* Click Skip Basic Repair if it appears then close the program

====================================

RougeKiller >>> Download RogueKiller

Thanks !

Click to expand...

Hi there

Not wishing to start any flaming wars -- but for HOME (not Corporate) computers especially those running insider builds from any branch I don't recommend using ANY 3rd party anti Virus software --paid or otherwise.

WD is updated pretty regularly and no 3rd party system can possibly keep up at the same pace as Ms updates of this stuff -- added to which WD is now based on the security built in to its commercial AZURE cloud server system -- which has almost military strength protection and is regarded as currently one of the (if not the) best in the industry.

Using a separate computer to run WD to clean an infected computer as I suggested previously works fine.

Using an Infected computer to cleanse itself is the same as telling a pilot to fix a plane knowing that it's defective while in the air !!! You do it on the ground and I've been flying small private planes for more than 25 years now and have had numerous (fortunately solvable) problems -- and always have managed to land the plane and then get it fixed. !!!!.

Cheers
jimbo

RedLad said:

Hi,

Yesterday I opened a folder in my downloads that I didn't recognise and immediately got a pop-up alert saying it was suspicious. Windows security was saying it was a trojan. I did manage to take a pic of it and it said it was called Trojan:MSIL/AgentTesla.HB!MTB. The Status was 'Active' and it said it it was 'Severe.'

After running the Full scan in Windows Security, it was still there. But I noticed more in the list. Some of them, it let me perform the remove action. But that main one I mentioned I think that is the one that was hanging around.

So after doing a bit of looking online I came across this article:

Redirecting

Basically it said it keeps the scan records in Protection History in C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service and by deleting that folder it will stop Windows Security from showing the threat over and over again.

I did that and it seemed to have worked. Virus and threat protection now shows no red exclamation marks and is all green checkmarks. But what I wanted to ask people here - is it really gone from my system and am I safe now? I was actually planning a full system wipe until I found this article. So keen to hear what people have to say about it.

Am I being too paranoid to think any of my details have been stolen and are not in the hands of these snakey little hackers? Any help will be greatly appreciated.

Thanks

Click to expand...

I dont mess with stuff like that. If I get just one little virus/trojan, it's an automatic clean install for me. I would suggest that for anyone.

I was going to say the same. If it was me I would disconnect from the internet, turn off your router, back up all personal files on an external drive, wipe the drive, clean install windows with no internet turned on Install Malwarebytes from a usb stick - plug in the external drive with files on and scan those in case anything is sitting in any of your files and also use something like Kaspersky offline scanner on the external drive. With the greatest respect you can't just rely on Windows defender - using two or three different scanners is more belt and braces. Trend Micro do an offline one as well.

There are some rare nasty ones that can infect bios and jump back on even a clean drive - if that happens you really will need Bleeping Computer.

I only had one nasty trojan which was on an old computer I was trying to fix - I couldn't get anything to install the drive and assumed it was dead. I then stupidly used the same usb stick in another laptop. A very old trojan got onto the usb stick from the dead laptop - jumped onto the other laptop, and luckily was blocked by antivirus. But it was one that could spread through the entire network in seconds and infect the router as well.

After that I have always used Panda vaccine on all usb sticks and laptops.

Jimbo45, you might need to visit one of the Malware forums and do some studying up on how to remove Malware ! You just might learn something new on removing Virus, Trojans & other bad things !!

The thing I hate kinda is windows Defender doesn't scan a folder unless you go to open it when it's too late. Why can't they have a option to where you click a folder it'll scan

WAI said:

The thing I hate kinda is windows Defender doesn't scan a folder unless you go to open it when it's too late. Why can't they have a option to where you click a folder it'll scan

Click to expand...

I find it on the right-click of a folder and Show more options.

Berton said:

I find it on the right-click of a folder and Show more options.

View attachment 51542

Click to expand...

I know that part but be nice to have that function in settings

JMedlock83 said:

I dont mess with stuff like that. If I get just one little virus/trojan, it's an automatic clean install for me. I would suggest that for anyone.

Click to expand...

Agree! I can do a clean install more quickly than spending a lot of time trying to get rid of malware.

Totally agree. These days viruses don't go away

I disagree with a lot of you who have never done any cleaning other than to spend the time to wipe your hard drive & some Trojans will stay ! Go ask any Malware Removal Specialist if you do not believe me ! Sometimes we have had to run 3 or 4 different programs to find & remove them ! As you said WAI "they just don't go away" !
Most will be removed with a wipe but not all !

flashh4 said:

Most will be removed with a wipe but not all !

Click to expand...

Can you give examples and some reasoning as to why the sample instances are so resilient?