[I can't remove nor locate the WIN32/Pitou.J file]

8 hours ago, itman said:

The following should get rid of this trojan if it is resident in the MBR:

https://techlogon.com/how-to-check-for-and-fix-mbr-virus-infection/

I finally got it all fixed! 

With the fixmbr with USB recovery device, it all went well.

Now the virus no longer appear when I did the scanning.

Thank you all

[I can't remove nor locate the WIN32/Pitou.J file]

On 2/26/2020 at 12:36 AM, itman said:

My apologies. I thought Eset would work in Safe mode. It doesn't from the GUI interface.

You have to run Eset from the command line interface in Safe mode. How to accomplish this is detailed here: https://support.eset.com/en/kb2272-run-a-scan-in-safe-mode-and-submit-a-scan-log-for-analysis . I recommend saving the .bat file on your desktop. 

Prior to running the script, it will have to be edited to scan boot records. Left mouse click on the .bat file and select Edit. The script code is now displayed in Notepad. You will have to scan for the below lines contain NOD32 and add the /boots parameter as shown below:

) ELSE IF EXIST "%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" (
"%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" /auto /log-file=c:\ecls.txt /aind /boots

Save the file via Notepad option. Boot into Win 10 Recovery Environment and access Safe mode from there.

Now double click on the .bat file to run it. When the Eset scan is complete, reboot in normal Windows mode. You can view the Eset scan log file, ecls.txt, which will be located in the C:\ directory.

Also note that you can boot into Win 10 Safe mode directly from regular Win 10 mode. Type Recovery into the desktop search window. Select "Recovery options." Under "Advanced startup," select "Restart now." Do not select the "Reset this PC" option. The PC will now boot into Win 10 Recovery Environment.

-EDIT- I will also add that based on this thread where Eset's SysRescue method could not remove this Trojan from the MBR: https://forum.eset.com/topic/18160-having-problem-remove-trojan-win32pitouj/ , I would say that running Eset in Safe mode probably won't do so also. Appears fixing the MBR is the only way to get rid of it.

 

This time I have gone to the safe mode to scan according to your steps. And the result is as following：

It is so weird that the scan did not pick up any virus/malware this time under the Win10 safe mode and running the scan under administrator level.

I am sure the Pitou.J is still in the computer since it still pop up when i restart my computer each time.

So I might as well just begin to kick off the MBR fix/repair.

How do I proceed that?

Would repair/refix the MBR erase all my files in hard drive?

Do I simply follow the recommendation as following?   

On 2/20/2020 at 2:28 PM, Marcos said:

20. 2. 2020 1:33:23    Startup scanner    boot sector    MBR sector of the 0. physical disk    Win32/Pitou.J trojan    unable to clean                 

Since the MBR is infected, you will need to boot to Windows Recovery Console and run fixmbr (e.g. refer to https://neosmart.net/wiki/fix-mbr/).

Also you have the LiveGrid Feedback system disabled. I would recommend enabling it so that in case you encounter a new undetected malware or if there's a problem cleaning malware that is only partially detected (e.g. only on execution by Advanced memory scanner), the malware is submitted and a smart detection by all scanners is added.

Moreover, I would recommend considering upgrading your license to ESET Internet Security or ESET Smart Security Premium (also contains Disk Encryption and Password manager). Only these two can protect you also from bruteforce attacks (RDP, SMB, SQL,...) which is a common infection vector nowadays. A common scenario of attacks is as follows: Attackers bruteforce the password, connect remotely, disable antivirus, run ransomware and then extort money from the victim. Network attack protection also protects the machine from exploiting vulnerabilities in network protocols if the system is not patched.

I am much appreciate all your responds, thank you very much.

[I can't remove nor locate the WIN32/Pitou.J file]

14 hours ago, itman said:

You're still using the Eset Online Scanner. As posted previously, I don't know if that product is accurate when Eset is installed on a device.

When you ran the Eset in program scan in Safe mode at Admin level that removed OpenCandy, did it also detect Win32/Pitou.J ?

I tried to use your recommended "On demand scan" under safe mode, but nothing happen when I click on the ESET Security. Seem the safe mode suspended it's operation.

So the only scan I could do was the online scanner.

How can I get the program scan operate?  

[I can't remove nor locate the WIN32/Pitou.J file]

On 2/21/2020 at 4:24 AM, itman said:

@Tonylau321 to get rid of OpenCandy, try this first.

In Windows;

1. Open Control Panel. Click on the "Uninstall a program" link under the Programs section.

2. Determine if OpenCandy is installed. If so, uninstall it. OpenCandy is known to exist in installers from a number of software downloads. Some are listed here: https://en.wikipedia.org/wiki/OpenCandy ; notably, uTorrent. If you downloaded and installed something recently from one of the third party download sites, that most likely was the source.

Reboot into Win 10 Safe mode: https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode .

3. Now run an Eset on-demand scan Note: It appears the ver. of OpenCandy installed on your device is the rootkit one. Eset can only remove rootkits in Win Safe mode. If the Eset desktop toolbar icon is missing in Safe mode, you can access the Eset GUI via the Win 10 Start menu.

This will be an Advanced scan running at admin level.

• Select "Custom" as shown in this screen shot:

• Checkmark "This PC" which cause all drives in the system to be scanned.
• Click on "Scan as Administrator" as shown in the below screen shot

Note: Do not use the Eset online scanner. I really don't know if that product is accurate if Eset is already installed on a device.

Thanks for your help, I did all the steps according to your recommendation, and the OpenCandy is disappear now.

The only threat left is the Trajon Pitou J at MBR as shown on the ESET Online Scanner this time. (See the attached screen shot)

So what is the step next? Boot to recovery console and run fixmbr?

[I can't remove nor locate the WIN32/Pitou.J file]

On 2/20/2020 at 2:28 PM, Marcos said:

20. 2. 2020 1:33:23    Startup scanner    boot sector    MBR sector of the 0. physical disk    Win32/Pitou.J trojan    unable to clean                 

Since the MBR is infected, you will need to boot to Windows Recovery Console and run fixmbr (e.g. refer to https://neosmart.net/wiki/fix-mbr/).

Also you have the LiveGrid Feedback system disabled. I would recommend enabling it so that in case you encounter a new undetected malware or if there's a problem cleaning malware that is only partially detected (e.g. only on execution by Advanced memory scanner), the malware is submitted and a smart detection by all scanners is added.

Moreover, I would recommend considering upgrading your license to ESET Internet Security or ESET Smart Security Premium (also contains Disk Encryption and Password manager). Only these two can protect you also from bruteforce attacks (RDP, SMB, SQL,...) which is a common infection vector nowadays. A common scenario of attacks is as follows: Attackers bruteforce the password, connect remotely, disable antivirus, run ransomware and then extort money from the victim. Network attack protection also protects the machine from exploiting vulnerabilities in network protocols if the system is not patched.

Thanks for your reply, I have created a Window Recovery USB according to your recommendation.

But I would like to know if I boot from the Window Recovery Console, and run fixmbr, would that erase all my files?

Or it will simply only repair the MBR without deleting any of my files?

 

[I can't remove nor locate the WIN32/Pitou.J file]

11 hours ago, itman said:

Eset scans for MBR malware at boot time via it's startup scan. If it finds any, it will show an alert as such: https://forum.eset.com/topic/15329-urgent_eset-can-not-clean-win32agenttxv-trojan/ .

This can also be confirmed by just running an Eset on-demand virus scan since the MBR is also scanned there.

I would boot into Win Safe mode and run an Eset on-demand scan from there. Hopefully, Eset can clean it from Safe mode.

Thanks for your advice, the Eset on demand scan in safe mode has found the problem is with MBR, yet it couldn't be remove/resolve the file/virus

 

Do you know what is my action next?

 

[I can't remove nor locate the WIN32/Pitou.J file]

19 hours ago, Marcos said:

Please collect logs with ESET Log Collector and upload the generated archive here (attachments can be access only by ESET staff).

We've removed the link you posted since it contained a banner pointing to a potentially unwanted application that we detect and don't recommend to use.

I have extracted the log and attached for your review.

I did also an Eset on-demand scan in safe mode as recommented by itman, the result is displayed as following:

Seems it is confirmed the location of the virus is with the MBR as others suspected.

So what is my action to do next?

eav_logs.zip

[I can't remove nor locate the WIN32/Pitou.J file]

Hello All,

 

My computer has been showing this Win32/Pitou.J (As far as I know it is a Trojan) is detected every time after I restarted my computer.

The antivirus itself couldn't identify the file location, nor remove/delete the file.

I tried to manually look for the infected file according to the following website and I couldn't find it.

 

What are my alternative solution?