Problem with Trojan – JS/Obfuse.RVCC!MTB

Topic

New Reply

Found this on my Windows 10 desktop, currently offline, running Defender full scan. It doesn’t show up on quick scan. I hit the take action button ang is says “Defender couldn’t completely resolve potential threats”. Ran the Defender offline scan. It gets to 93% and just reboots without taking any action. Malware Bytes doesn’t find the problem. An article from Microsoft earlier this year says Defender should remove this. Perhaps it has evolved to block removal. Any suggestions?

Reply | Quote

Replies

Scan couldn’t complete.   Could be this.

If scans are taking too long or appear to be progressing very slowly, consider the following solutions:

<b class=”ocpLegacyBold”>Make sure you have enough available disk space</b>

Microsoft Defender Antivirus requires disk space to remove and quarantine malware files. It might be prevented from completely removing a threat if there isn’t enough available space on your PC, particularly on your system drive (usually drive C). See the following to help free up space:

• Free up drive space in Windows 10 or 11.
• Tips to free up drive space on your PC (Windows 8.1)

After you’ve freed up some space, update and then run a scan again.

Full scans can take a long time if you have a large disk with lots of files. Large files, especially archives such as ZIP files, take longer to scan.

<b class=”ocpLegacyBold”>Run scans while your PC is idle by closing all other programs</b>

Scanning takes system resources like processor and memory. If you have other programs running they may be creating a bit of a traffic jam that can slow down the malware scan, even if you’re not actively using them. Try closing any unnecessary apps while you run the scan.

Reply | Quote

The fastest way is to restore from full image backup version before the trojan infection.

Update your Defender app and definitions and run full re-scan.

Check new add-on/extensions in your browsers.

Reply | Quote

You mentioned you have two anti virus programs.  Maybe you got to disable one of them. Though it might  not have anything to do with it.

Reply | Quote

I’ve got about 30% free space on the C: drive.  I killed the Malwarebytes background process and got today’s latest definitions for Defender.  I wouldn’t expect much change in the definitions in one day unless other people have also reported it.  I’m running it again now.

Reply | Quote

You have doubtless done a Google search which brings up all manner of convoluted ‘solutions’ – particularly on the Malwarebytes and Malwaretips websites. The Malwaretips ‘solution’ in particular strikes me as being just a string of sponsored links.

I would start by checking the list of installed Apps (Start > Settings > Apps) and uninstalling any recently-installed and suspiciously-named App that you don’t recognise.

Second, download and run the easy-to-use Microsoft Safety Scanner:

https://learn.microsoft.com/en-gb/defender-endpoint/safety-scanner-download?view=o365-worldwide

2 users thanked author for this post.

Groundhog45, Geo

Reply | Quote

I don’t use Malwarebytes  anti -virus , but I do use their AdwCleaner.

Reply | Quote

Well, I ran the Safety Scanner.  After about 4 hours and 6.5 million files scanned, it said I had 55 infected files.  But when it completed and was supposed to show me a list of the problem files, it said “no viruses, spyware, and other potentially unwanted software were detected”.  I don’t think I’ve ever run into a problem like this.

Reply | Quote

If you haven’t seen it already, the log for the Safety Scanner should be located at C:\Windows\debug\ and the file should be called “msert.log” and is viewable with Notepad or your choice of text file viewer.

I recall the same sort of thing happening to me quite some time ago…it said I had infections during the scan, but at the end it said my machine was clean. That was back in 2021, though.

By the way, the log for the Defender Offline scanner is located at

C:\Windows\Microsoft Antimalware\Support\msssWrapper.log

That might shed some light on why the offline scanner couldn’t complete its scan, as you mentioned in your original post. The log file can be opened with any text file viewer.

One more question: Exactly which file was infected with this alleged piece of crapware, or, Where did it say the infected file was located?

2 users thanked author for this post.

Groundhog45, satrow

Reply | Quote

When the Safety Scanner runs, it marks files it thinks may be infected then those files are compared to the malware database. If they are found to not contain malware then the scanner will indicate no problems were found. It is only if it finds malware in those files will it report at the end of the process and of any removal.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Defender told me what the name of the trojan was but not the name of the infected file.

I’ll check those logs.  Thanks.

 

Reply | Quote

Do you remember how and when this infection started? Opening a particular email? Visiting a particular website?

If so, ensure the email has been permanently deleted, putting it in your Junk box first, so that the sender’s address is blocked. Fully empty your web browser’s cache. Check if any suspicious websites have been added to your browser’s Bookmarks/Favourites and, if so, delete them.

Restart your device and perform another scan with a fresh copy of MS Safety Scanner.

If this scenario doesn’t apply, then I would agree with Alex that restoring from an image backup is the next step – or even reinstalling Windows. Trojans are fiendishly hard to fully remove but cannot be ignored.

Reply | Quote

Well, I looked at the logs for the MS Safety Scanner and the Defender offline scan.  Both negative.  Then I downloaded the latest version of the Windows Malicious Software Removal Tool so that I could run a full scan.  Also negative.  Defender full scan still shows that Trojan.  I’m thinking that it was found and addressed but some traces are still found on the system that trigger the positive from Defender.  I’ll probably restore my last backup to a different disk and see what it shows.  It’s a couple of weeks old.

 

 

 

 

 

scan

1 user thanked author for this post.

Bob99

Reply | Quote

Open up Defender to the “Virus & threat protection” area and look below the “Quick Scan” button. There should be a clickable link in blue color that says “Protection history”. Click that and see if a file name or location is mentioned along with the infection’s name. If it just shows the name of the infection, oh well, at least you tried to find the location of the infection.

The very few times I’ve had “positives” has been for actions that a program was taking on my machine that Defender didn’t like (including a “positive” for chkdsk doing what I’d called on it to to). Each time, it mentioned the name of the “infection” or action, and the location it was in. This is why I was hoping it might do the same for you.

By the way, the MSRT, or Malicious Software Removal Tool only scans for a certain set of malware, not the whole gamut that Defender and the Safety Scanner look for.

1 user thanked author for this post.

Groundhog45

Reply | Quote

The protection history shows no recent actions.  Thanks for the help.

Reply | Quote