Malwarebytes 3.2.2 Detects Trojan.agent.gen When Scanning Memory

Hello and THANK YOU for taking your time to help me, someone you've never met. I'm a bit new to this but wanted to get help from a specialist, hopefully I've done everything correctly...

Malwarebytes 3.2.2 detects Trojan.Agent.Gen in location C:\PROGRAMDATA\Update.exe

When I quarantine or clean this file it almost never gets rid of it, or if the scan no longer finds malware, It does the next time I scan, after I've restarted my computer. I'm going to wait until after this has all been resolved before deleting my restore points (as I've been instructed in the guide).

Best of luck, thanks.

 

New MBAM and OTM logs below.

 

Oh wow really? That's.. really great. But I figure I'll give you a few more details just to confirm?

First, I *can* see the file itself, which I provided with a paint screen shot. (file at the bottom of the list of files there.) (Sorry for terrible paint skills)

Additionally, when I right click ANY of the files or folders in PROGRAMDATA, within 1/4-1/2 of a second the menu pops up, displaying options like "Open, play, share, cut, copy, delete, rename" etc.., but when I right click "Update.exe" specifically, the progress circle spins for a good 4-5 seconds before showing options. Is this indicative of anything suspicious like the trojan "hiding something", or maybe it's just a broken file? Now I'm just curious why this file loads when I right click it..

Thank you!

 

I didn't realize how small the image showed up, sorry. Resized.

Open, Run as admin, troubleshoot capability, (avast)scan update.exe, (winrar)..add to archive, add to 'update.rar', add to email, pin to startmenu, scan with malwarebytes, restore preivous versions, sent to.., cut, copy, name shortcut, rename, delete, properties

scanning with malwarebytes.. scan time: 6s, items scanned: 31, threats detected/quarantined: 0

Export txt summary added

Hopefully slightly more usable image added (although still blurry, the bottom file is the file in question)

 

So I click "Upload and scan a file" and navigate the Update.exe

When I click the file it gives me the message

"Update.exe
File Not Found
Check the file name and try again"

 

Unfortunately I will be a few hours before being able to reply to your next response.

When trying to delete the file, I cannot.

"could not find this item. This is no longer located in C\Programdata. Veryify the item's location and try again."

Rebooted and mbam picks it up

 

Thanks. First, should I still have User account control settings set to never notify? I turned it back to default later last night, but let me know if that should go back to being off.

I have "Attempt FileASSASSIN's method of file processing" checked. Under that I have all four boxes check. (Unlock locked file handles. Unload modules. Terminate the file's process. Delete file.)

I try both methods of selecting the Update.exe file. When I drag the file, it becomes a black circle with a black line through it when I put it over the text area, so I can't select the file with this method. So, I search the file by using the "..." button. I find 'update.exe' and when i press open it gives me the following error message...

"Choose file to delete"
Update.exe
File not found.
Check the file name and try again.

 

Hey just to confirm that this is right.. I'm only getting an option to 'quarantine' the threats which mbam has identified, it doesn't specifically say "delete".

Ran Rkill, and then MBAM, quarantined the threats, rebooted, scanned again. Got the threats both times in MBAM. here is the MBAM before and after txt files, if relevant.

 

Just to be clear it is called KVRT, as in kaspersky virus removal tool, so it's no longer randomly named?

"

• On the first tab select all elements down to Computer and then select start scan.

"


The tab I see shows "system memory, startup objects, boot sectors, and system drive" I will also provide a screenshot. (One I hope will be somewhat usable to see what i'm seeing.)

I'm going to assume that I should select all four options and run that.

Once I select report I see an icon with date, oct 23 2017 showing the start and end times of the scan.

"16:42:03.034" Scan Started
"15:55:26.061" Scan Finished

I do not see any option here to save or export a save file which I could pass on to you.

I do not see any "manual disinfection tab" so I can't follow any further steps. Did I download the wrong tool?

 

When I click "scan" under the action column, nothing happens. The second screenshot I provided shows the furthest I can go down the chain, I've clicked the 16:42:03.034, the scan word, the word 'started' etc.

I'm scanning again to see if I have better luck the second time around..

 

Nope, second report yields the same issue

 

Yea, that's the one I've got.

This is how I get there.

main page --> report --> arrow 23 oct 2017 --> arrow next to scan.

As far as I see, nothing which remains is expandable...

 

When the scan finishes , it does not find any threats, or the file in question

 

I was, sorry. Hopefully this is a good improvement.

I've had 2 monitors going, and I've had to crop out half the image (the other monitor) every time, so now I've disabled the other monitor and I hope this is much better

Also, I've included 2 images which are my task scheduler, in case that helps in any way (the first image I have a task highlighted, due to it's name similarity of what mbam thinks is a trojan), could be a coincidence, but still.. it caught my attention.

 

Here are direct links to the imgur (because those images still seem low quality in my previous post)

task manager: https://imgur.com/DOK0xkS

scheduler 1: https://imgur.com/rXNtfTo

scheduler 2: https://imgur.com/HjUmrHV

 

Is there a hypothetical explanation as to why update.exe loads for 4 seconds before displaying the menu when I right click it?

 

Your attention to detail and persistence is awesome. Thank you so much, mostly for your patience.