Script SNH: gen [Trj] infection

[poweron2]

Hi,
I have been infected with the Script SNH: gen Trojan, I have followed the log requirement details and run the suggested scans and collected the logs required for analysis and would appreciate help with knowing if the issue is fixed or with help purging my system.

[Pondus]

I assume you let Malwarebytes remove what it found?

I have been infected with the Script SNH: gen Trojan

Any details, screenshot


@Sass Drake is notified

[poweron2]

Yes ut not sure if it found that trojan as I did not see it on the log.
i also ran malware bytes in safe mode which identified and removed trojans that were disabling avast security certs. I uninstalled then reinstalled avast and tried to run in safe mode which returns message UI failed to load. I have reviewed this and note avast can run in safe mode but fr whatever reason requires specialist technical help.   

[Pondus]

Malwarebytes is not designed to run in safe mode. Yes it will run but all drivers are not loaded so it will run crippled. and Avast has boot scan

Boot scan/safe mode does not have any detection advantages, what it has is removal advantage, files that cant be removed/cleaned because they are in use dont run when in safemode, but not needed to do unless you have problems running it in normal mode or instructed to do so.
Most of todays security programs will give a message after scan "this and that file will be removed when you restart"

[poweron2]

The issue was more to do with checking to see if the trojan had been cleared as it was affecting avast.
That I could not open avast in safe mode with the UI failed to load message was my cue to try MBAM in safe mode which identified that avast was being blocked from loading in safe but not in normal mode.
This demonstrated that the trojan has infected avast if it can control avast operation and what it can detect.
I have also uninstalled and reinstalled a few times in safe mode but the issue with opening avast remains, I suspect when I can open avast in safe mode my issues will be sorted.
I am currently running the frst again this time set to repair the WMI function all in safe mode.

[Pondus]

I am currently running the frst again this time set to repair the WMI function all in safe mode.

You should not do anything with FRST except get those logs and then wait for @Sass Drake to give new instructions


you can try avast repair  https://support.avast.com/en-ww/article/Repair-Antivirus

[poweron2]

Tried the repair a few times, in and out of safe mode, no change, which is why I repeated the uninstall.

frst has been running for a few hours now, and I expect it will be a few more.

[Sass Drake]

Please make new FRST.txt and Addition.txt logs. Current FRS:txt is not complete.

[poweron2]

Hi Sass,
Thanks for the help and quick response, I have posted the text files with the results of an attempted repair.
Cheers
John

[Pondus]

Yes ut not sure if it found that trojan as I did not see it on the log.

Malwarebytes does not use the same name as avast on malware found, it also does not target script, doc, media files or real virus (self replicating file infectors)
And anything detected and removed by avast is already gone and can not be detected by Malwarebytes

Script SNH:gen [Trj] = a script

[Sass Drake]

• Open Notepad (click Start button -> type notepad.exe -> press Enter)
• Copy text from code block below and paste it into Notepad

Code: [Select]

HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <==== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <==== ATTENTION
HKU\S-1-5-21-3086109528-2076554822-4277422645-500\...\Run: [MBST] => C:\Users\Administrator\AppData\Local\Temp\mwb2F88.tmp\mbst.bat [126 2020-05-06] () [File not signed] <==== ATTENTION
GroupPolicy: Restriction ? <==== ATTENTION
GroupPolicy\User: Restriction ? <==== ATTENTION
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION


• Go to File -> Save As
• Make sure that  UTF-8 is selected as Encoding (left side of Save button)
• Save it as fixlist.txt on Desktop
• Open again FRST and click on button Fix
• Wait until FRST finishes
• fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

[poweron2]

Hi Sass,
Done that, any logs required ?

[Sass Drake]

fixlog.txt

[poweron2]

Not generated, have now configuration settings ct.ini installed in FRST log file but no fixlog.text

[Sass Drake]

It should be in same folder as FRST.