Solved Trojan.agent in windows hosts keeps coming back

[ac17]

Hi TwinHeadedEagle -

I'm having EXACTLY the same issue as the OP.

Malwarebytes is detecting a trojan at C:\WINDOWS\HOSTS

Yet this location does not exist - nor is there a hosts file in the common location (C:\Windows\System32\drivers\etc\hosts)

-And when I go to quarantine the file detected by malwarebytes, it requests to reboot, and then the system locks up.

It's a brand new W10 install with a few extra programs.

I have tried scanning with Spybot Search and Destroy, ESET NOD, and Kaspersky. All returned nothing.

Can you please walk me through the solution you gave the OP in the above?

Thanks in advance !

 

[TwinHeadedEagle]

Hello,


[MANDATORY] Preparation Guide Before Requesting Malware Removal Help

 

[ac17]

Hi.
Thanks for your reply.

I've done what you requested.

I've also scanned system with "exterminate it!" and it picked up the same thing.

Rhe file does not exist (nor does the directory), even not in safe mode with 'hidden files' and 'system files' showing.

-is it a false positive?

Thanks again for your help!

 

[TwinHeadedEagle]

Please uninstall Iobit Unlocker and Spybot from your system.

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.



Check Disk

• Press the
  
  on your keyboard. Type cmd and right click >> Run as Administrator.
• Copy/Enter the command below and press Enter:

• chkdsk C: /r

• You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
• All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.

Check Disk report:

• Press the
  
  + R on your keyboard at the same time. Type eventvwr and click OK.
• In the left panel, expand Windows Logs and then click on Application.
• Now, on the right side, click on Filter Current Log.
• Under Event Sources, check only Wininit and click OK.
• Now you'll be presented with one or multiple Wininit logs.
• Click on an entry corresponding to the date and time of the disk check.
• On the top main menu, click Action > Copy > Copy Details as Text.
• Paste the contents into your next reply.

 

[ac17]

Log Name: Application
Source: Microsoft-Windows-Wininit
Date: 17/03/2017 18:11:34
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: DESKTOP-1K82NJU
Description:


Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

Stage 1: Examining basic file system structure ...
289280 file records processed.

File verification completed.
5938 large file records processed.

0 bad file records processed.


Stage 2: Examining file name linkage ...
361210 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered to lost and found.


Stage 3: Examining security descriptors ...
Cleaning up 21 unused index entries from index $SII of file 0x9.
Cleaning up 21 unused index entries from index $SDH of file 0x9.
Cleaning up 21 unused security descriptors.
Security descriptor verification completed.
35966 data files processed.

CHKDSK is verifying Usn Journal...
33637168 USN bytes processed.

Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
289264 files processed.

File data verification completed.

Stage 5: Looking for bad, free clusters ...
13053238 free clusters processed.

Free space verification is complete.

Windows has scanned the file system and found no problems.
No further action is required.

94183463 KB total disk space.
41463672 KB in 202699 files.
113952 KB in 35967 indexes.
0 KB in bad sectors.
392887 KB in use by the system.
65536 KB occupied by the log file.
52212952 KB available on disk.

4096 bytes in each allocation unit.
23545865 total allocation units on disk.
13053238 allocation units available on disk.

Internal Info:
00 6a 04 00 aa a3 03 00 d0 c5 05 00 00 00 00 00 .j..............
cb 00 00 00 35 00 00 00 00 00 00 00 00 00 00 00 ....5...........

Windows has finished checking your disk.
Please wait while your computer restarts.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Wininit" Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" />
<EventID Qualifiers="16384">1001</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2017-03-17T07:11:34.582364100Z" />
<EventRecordID>53917</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>DESKTOP-1K82NJU</Computer>
<Security />
</System>
<EventData>
<Data>

Checking file system on C:
The type of the file system is NTFS.

A disk check has been scheduled.
Windows will now check the disk.

Stage 1: Examining basic file system structure ...
289280 file records processed.

File verification completed.
5938 large file records processed.

0 bad file records processed.


Stage 2: Examining file name linkage ...
361210 index entries processed.

Index verification completed.
0 unindexed files scanned.

0 unindexed files recovered to lost and found.


Stage 3: Examining security descriptors ...
Cleaning up 21 unused index entries from index $SII of file 0x9.
Cleaning up 21 unused index entries from index $SDH of file 0x9.
Cleaning up 21 unused security descriptors.
Security descriptor verification completed.
35966 data files processed.

CHKDSK is verifying Usn Journal...
33637168 USN bytes processed.

Usn Journal verification completed.

Stage 4: Looking for bad clusters in user file data ...
289264 files processed.

File data verification completed.

Stage 5: Looking for bad, free clusters ...
13053238 free clusters processed.

Free space verification is complete.

Windows has scanned the file system and found no problems.
No further action is required.

94183463 KB total disk space.
41463672 KB in 202699 files.
113952 KB in 35967 indexes.
0 KB in bad sectors.
392887 KB in use by the system.
65536 KB occupied by the log file.
52212952 KB available on disk.

4096 bytes in each allocation unit.
23545865 total allocation units on disk.
13053238 allocation units available on disk.

Internal Info:
00 6a 04 00 aa a3 03 00 d0 c5 05 00 00 00 00 00 .j..............
cb 00 00 00 35 00 00 00 00 00 00 00 00 00 00 00 ....5...........

Windows has finished checking your disk.
Please wait while your computer restarts.
</Data>
</EventData>
</Event>

 

[TwinHeadedEagle]

How is the situation now?

 

[ac17]

Seems all working fine! You're a Scholar and a Saint!

So was it infact malware or was it a false positive?

 

[TwinHeadedEagle]

It seems so.