Question Trojan Keeps Coming Back After Windows Restart, Won't Remove

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
Hello everyone,

My PC got infected with this damn annoying trojan of EpicNet Inc (Cloudnet.exe), it's very famous and I got infected with it a month ago and i realized it was a virus in the same minute i excuted the program and then i replaced the whole windows with a fresh version,

But in my current case, this time there's no program that i've by mistake excuted and there's no active suspicious process,
but each time i do a scan when i start my windows (it's a habit) i can see the same 8 files every time, i remove them by maleware or manually to make sure they're gone
but on restart they are back again,


I use windows 10, and for checking the processes i use both Process Explorer Tool & SecurityTaskManager (i use them ofc before removing the trojans but i cant find any shady processes or any process with a matching location where the trojan is)


it's important to notice that it only recreate it self upon windows restart, not after a certian time
i need to know how it does recreate it self? and how to completely delete it? and how to protect myself from such trojans in the future that comes from webpages scripts and such thing is using sandboxie will help ? (i'm not considering buying any antivirus and i'm sure they won't stop webpages hidden attacks they only slow my machine)

and here's the Malewarebytes log
_


Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/6/20
Scan Time: 3:19 PM
Log File: 15a3503a-5fad-11ea-a7ef-00241d1fea74.json

-Software Information-
Version: 4.0.4.49
Components Version: 1.0.823
Update Package Version: 1.0.20172
License: Expired

-System Information-
OS: Windows 10 (Build 18362.657)
CPU: x64
File System: NTFS
User: DESKTOP-UUS8QFF\Teeky

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 296553
Threats Detected: 8
Threats Quarantined: 0
Time Elapsed: 4 min, 13 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 8
Trojan.Glupteba.BITSRST, C:\Users\Teeky\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, No Action By User, 1130, 781247, , , ,
Trojan.Glupteba.BITSRST, C:\Users\Teeky\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe, No Action By User, 1130, 781247, , , ,
Trojan.Glupteba.BITSRST, C:\Users\Teeky\AppData\Roaming\EpicNet Inc\CloudNet, No Action By User, 1130, 781247, , , ,
Trojan.Glupteba.BITSRST, C:\USERS\TEEKY\APPDATA\ROAMING\EPICNET INC, No Action By User, 1130, 781247, 1.0.20172, , ame,
Trojan.Glupteba.BITSRST, C:\Users\Teeky\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe\Protection Dir, No Action By User, 1130, 781248, , , ,
Trojan.Glupteba.BITSRST, C:\Users\Teeky\AppData\Local\EpicNet Inc\CloudNet\cloudnet.exe, No Action By User, 1130, 781248, , , ,
Trojan.Glupteba.BITSRST, C:\Users\Teeky\AppData\Local\EpicNet Inc\CloudNet, No Action By User, 1130, 781248, , , ,
Trojan.Glupteba.BITSRST, C:\USERS\TEEKY\APPDATA\LOCAL\EPICNET INC, No Action By User, 1130, 781248, 1.0.20172, , ame,

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)

The msconfig & startup process screenshot:

View: https://imgur.com/Do4omUe
 
Last edited by a moderator:

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
Full wipe and reinstall.

okay i won't disagree with that solution at all, but at least i need to know the reason or what cause this recreation

and most important how to avoid these torjans that comes from the pop-up webpages? is sandboxie is effective ? i won't do a reinstall every couple of weeks its very annoying
 

USAFRet

Titan
Moderator
okay i won't disagree with that solution at all, but at least i need to know the reason or what cause this recreation

and most important how to avoid these torjans that comes from the pop-up webpages? is sandboxie is effective ? i won't do a reinstall every couple of weeks its very annoying
If you're getting an infestation like this every couple of weeks, the keyboard operator is the issue.
 
  • Like
Reactions: digitalgriffin

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
Oh, i get it now

Sir, i completely avoid downloading or excuting and suspicous programs, even browsing any shady websites
and this infection didn't happen this time at all from excuting any program or downloading any files, no one can be safe from these trojans these days i have to see dozens of websites each time i need photoshop resources for my work everyday

and what i did understand from searching online that VISITING A WEBPAGE is more than enough to get infected with trojans, so Sir regardless of your unprofessional likening, if you suggest that the user don't browse any website at all then it could really work in that case

____

can anyone tell me if sandboxie is an effective solution in keeping my pc safe and browsing freely?

i already decided no to use google chrome again because i think its really useless when it comes to serious protection and security, i'm switching to FireFox, any suggestions other than NOT BROWSING at all would be appreciated
 

Colif

Win 11 Master
Moderator
all the software you use are legit or not so get avast free it have a module to scan system at start up and see what happens .
Nothing avast gives you is free. they are more in the harvest email address industry than AV industry now. They sell their mailing list to advertisers to make money. So I already suggested BItdefender free which won't send you emails every few weeks offering upgrades you don't need. I had the paid version, they still wanted more money. Pass.
 

Teekiii

Honorable
Jan 19, 2017
56
4
10,535

"...I got infected with it a month ago and i realized it was a virus in the same minute i excuted the program and then i replaced the whole windows with a fresh version"

"But in my current case, this time there's no program that i've by mistake excuted and there's no active suspicious process, "

😊
 

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
all the software you use are legit or not so get avast free it have a module to scan system at start up and see what happens .
thank you for your reply, i'm currently trying Colif's solution which is Bitdefender, so i can't install avast as the two of them will contradict with each other, but if bitdefender failed i got avast on queue
 
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/6/20
Scan Time: 3:19 PM
Just caught my eye the time the scan ran but your post was at 6:10am, IDK maybe your AM/ PM is set backwards on computer.

When you redid your windows 10 did you "0" out your infected drive? or just refreshed your install of windows 10.

I'm wondering if as you say you can remove all files that are part of your Virus but restarting it's back. Turn off your page file, run your antivirus programs than restart and re check for virus.

Page file is a protected part of your hard drive that is off limits to your antivirus program unless you temper rarely turn it off.
 

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
Just caught my eye the time the scan ran but your post was at 6:10am, IDK maybe your AM/ PM is set backwards on computer.

When you redid your windows 10 did you "0" out your infected drive? or just refreshed your install of windows 10.

I'm wondering if as you say you can remove all files that are part of your Virus but restarting it's back. Turn off your page file, run your antivirus programs than restart and re check for virus.

Page file is a protected part of your hard drive that is off limits to your antivirus program unless you temper rarely turn it off.

first of all thanks for your reply, you really have a sharp eyesight,
the time difference is because i live in the middle east the time zome here is GMT+2 so its totally normal

i turned off the page file, removed the virus files, did a restart and then i ran into the damn directory
to see if it still exist or not, and i didn't find it! i was about to celebrate when it just created itself right infront of my eyes, i think its kinda of late start service but i cant find it, i was disappionted again

i wish if someone explains to me the reason of this re-creation process? how to trace it? is it a hidden service?
is it a registery entry? i don't really understand

and for the third time, if i used sandboxie in the future with my browser will it help me stay in the safe side while browsing ?
 

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
Nothing avast gives you is free. they are more in the harvest email address industry than AV industry now. They sell their mailing list to advertisers to make money. So I already suggested BItdefender free which won't send you emails every few weeks offering upgrades you don't need. I had the paid version, they still wanted more money. Pass.

unfortunately Bitdefender didn't find anything ! i scanned the system partition and there was no threats, i'm doing a full system scan now but i don't know if that's necessary or not, do you have any idea about a program that can help me to take a closer look about the start up services and if there's a hidden services or anything like that or maybe tell the time of each serivces when did it exactly start after windows starts as i noticed that the trojan files create itself after like 40-60 seconds after windows restart
 

USAFRet

Titan
Moderator
During a full wipe and reinstall, a typical virus cannot recreate itself. There is nothing left of the original data on the drive.

Full wipe = delete ALL partitions, and then proceeding. Not just a 'reset' or 'refresh'.
Just turning off the pagefile and 'removing' the virus does not do it.

Full wipe and then an OS install.

Now...there is a tiny subset of malware that can infect the BIOS and recreate itself. This is exceedingly rare.
 

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
During a full wipe and reinstall, a typical virus cannot recreate itself. There is nothing left of the original data on the drive.

Full wipe = delete ALL partitions, and then proceeding. Not just a 'reset' or 'refresh'.
Just turning off the pagefile and 'removing' the virus does not do it.

Full wipe and then an OS install.

Now...there is a tiny subset of malware that can infect the BIOS and recreate itself. This is exceedingly rare.

is it a must to delete all the partitions ? i mean thats my whole work and resources,

the system partition is not that important to me anyway i can format it anytime during a windows reinstall, but the other partitions, thats hard to wipe there must be a solution, and i'm not sure if they have sth to do with this trojan
 

USAFRet

Titan
Moderator
is it a must to delete all the partitions ? i mean thats my whole work and resources,

the system partition is not that important to me anyway i can format it anytime during a windows reinstall, but the other partitions, thats hard to wipe there must be a solution, and i'm not sure if they have sth to do with this trojan
For a persistent virus, YES!

If you simply do a 'refresh'...that virus is still in there.
You must start with a completely blank slate. Full wipe and reinstall.

Whatever "important" data is on that drive is irrelevant in the realm of a persistent virus. It WILL keep coming back.

This is a good time to consider your overall backup routine.
A persistent virus like this is not much different than an actual dead drive. What would you do if one of your drives (work and resources) died right now?
 

Teekiii

Honorable
Jan 19, 2017
56
4
10,535
For a persistent virus, YES!

If you simply do a 'refresh'...that virus is still in there.
You must start with a completely blank slate. Full wipe and reinstall.

Whatever "important" data is on that drive is irrelevant in the realm of a persistent virus. It WILL keep coming back.

This is a good time to consider your overall backup routine.
A persistent virus like this is not much different than an actual dead drive. What would you do if one of your drives (work and resources) died right now?

thank you for your reply, the virus is not that persistent , it will only come back after restart (and it has kinda of late start like it take up to 1 minute to show up in its directory)


I did consider a backup routine since the first time i got infected a month ago and i did backup a huge part of my work

but im still convinced that formating my whole HDD is the right thing or at least not convinced its necessary in my case, i will keep searching deeper in the cause of this problem which no one has explained to me for now or even gave me a future solution about for this problem, no one replied to me about using sandboxie for browser

i'm very convinced that the kinda of help i need isn't here so i'll go on and continue searching elsewhere before i reinstall my windows version which is btw popatim completely fine its a clean version as i do a scan every time i start up my windows i find nothing until i hit a webpage with the damn torjan after a while

So thank you all for your replies and if i found a soltuion elsewhere i'll post it here.
 

Colif

Win 11 Master
Moderator
delayed start... have you looked in scheduled events?

Try a clean boot and see if it changes anything - make sure to read instructions and make sure NOT to disable any microsoft services or windows won't load right - https://support.microsoft.com/en-au/help/929135/how-to-perform-a-clean-boot-in-windows

if clean boot fixes it, it shows its likely a startup program. You should, over a number of startups. restart the programs you stopped to isolate the one that is to blame.
 

USAFRet

Titan
Moderator
thank you for your reply, the virus is not that persistent , it will only come back after restart (and it has kinda of late start like it take up to 1 minute to show up in its directory)


I did consider a backup routine since the first time i got infected a month ago and i did backup a huge part of my work

but im still convinced that formating my whole HDD is the right thing or at least not convinced its necessary in my case, i will keep searching deeper in the cause of this problem which no one has explained to me for now or even gave me a future solution about for this problem, no one replied to me about using sandboxie for browser

i'm very convinced that the kinda of help i need isn't here so i'll go on and continue searching elsewhere before i reinstall my windows version which is btw popatim completely fine its a clean version as i do a scan every time i start up my windows i find nothing until i hit a webpage with the damn torjan after a while

So thank you all for your replies and if i found a soltuion elsewhere i'll post it here.
Try here: