I can't remove nor locate the WIN32/Pitou.J file

[Tonylau321 0]

Hello All,

 

My computer has been showing this Win32/Pitou.J (As far as I know it is a Trojan) is detected every time after I restarted my computer.

The antivirus itself couldn't identify the file location, nor remove/delete the file.

I tried to manually look for the infected file according to the following website and I couldn't find it.

 

What are my alternative solution?

 

Edited February 19, 2020 by Marcos
Link removed

[Marcos 5,074]

Please collect logs with ESET Log Collector and upload the generated archive here (attachments can be access only by ESET staff).

We've removed the link you posted since it contained a banner pointing to a potentially unwanted application that we detect and don't recommend to use.

[Nightowl 202]

It's something in the MBR I believe , you would need to scan from safemode.

It's like this : https://forum.eset.com/topic/18160-having-problem-remove-trojan-win32pitouj/

Edited February 19, 2020 by Rami

[itman 1,659]

I am not 100% convinced this is MBR based. Provide the logs @Marcos requested.

Also next time the Eset alert appears, click on "file" link in the alert and post a screen shot. Or at least, post in what directory the file shown is located.

Edited February 19, 2020 by itman

[Nightowl 202]

33 minutes ago, itman said:

I am not 100% convinced this is MBR based. Provide the logs @Marcos requested.

Also next time the Eset alert appears, click on "file" link in the alert and post a screen shot. Or at least, post in what directory the file shown is located.

It's sure somewhere ESET cannot remove like a system file or lacks privileges like a network share.

[itman 1,659]

Eset scans for MBR malware at boot time via it's startup scan. If it finds any, it will show an alert as such: https://forum.eset.com/topic/15329-urgent_eset-can-not-clean-win32agenttxv-trojan/ .

This can also be confirmed by just running an Eset on-demand virus scan since the MBR is also scanned there.

I would boot into Win Safe mode and run an Eset on-demand scan from there. Hopefully, Eset can clean it from Safe mode.

Edited February 19, 2020 by itman

[Tonylau321 0]

19 hours ago, Marcos said:

Please collect logs with ESET Log Collector and upload the generated archive here (attachments can be access only by ESET staff).

We've removed the link you posted since it contained a banner pointing to a potentially unwanted application that we detect and don't recommend to use.

I have extracted the log and attached for your review.

I did also an Eset on-demand scan in safe mode as recommented by itman, the result is displayed as following:

Seems it is confirmed the location of the virus is with the MBR as others suspected.

So what is my action to do next?

eav_logs.zip

[Tonylau321 0]

11 hours ago, itman said:

Eset scans for MBR malware at boot time via it's startup scan. If it finds any, it will show an alert as such: https://forum.eset.com/topic/15329-urgent_eset-can-not-clean-win32agenttxv-trojan/ .

This can also be confirmed by just running an Eset on-demand virus scan since the MBR is also scanned there.

I would boot into Win Safe mode and run an Eset on-demand scan from there. Hopefully, Eset can clean it from Safe mode.

Thanks for your advice, the Eset on demand scan in safe mode has found the problem is with MBR, yet it couldn't be remove/resolve the file/virus

 

Do you know what is my action next?

 

[Marcos 5,074]

20. 2. 2020 1:33:23    Startup scanner    boot sector    MBR sector of the 0. physical disk    Win32/Pitou.J trojan    unable to clean                 

Since the MBR is infected, you will need to boot to Windows Recovery Console and run fixmbr (e.g. refer to https://neosmart.net/wiki/fix-mbr/).

Also you have the LiveGrid Feedback system disabled. I would recommend enabling it so that in case you encounter a new undetected malware or if there's a problem cleaning malware that is only partially detected (e.g. only on execution by Advanced memory scanner), the malware is submitted and a smart detection by all scanners is added.

Moreover, I would recommend considering upgrading your license to ESET Internet Security or ESET Smart Security Premium (also contains Disk Encryption and Password manager). Only these two can protect you also from bruteforce attacks (RDP, SMB, SQL,...) which is a common infection vector nowadays. A common scenario of attacks is as follows: Attackers bruteforce the password, connect remotely, disable antivirus, run ransomware and then extort money from the victim. Network attack protection also protects the machine from exploiting vulnerabilities in network protocols if the system is not patched.

[itman 1,659]

10 hours ago, Tonylau321 said:

Thanks for your advice, the Eset on demand scan in safe mode has found the problem is with MBR, yet it couldn't be remove/resolve the file/virus

Also what Windows OS version are you running? MBR based malware is quite rare on Win 10 for example.

[itman 1,659]

Also there is a discrepancy here.

Eset online scanner found Win32/OpenCandy.J in the MBR. However, installed Eset was alerting on Win32/Pitou.J.

Add to this OpenCandy is adware: https://malwaretips.com/blogs/remove-win32-opencandy/ . Per this Sophos detailed analysis of it; https://www.sophos.com/en-us/threat-center/threat-analyses/adware-and-puas/OpenCandy/detailed-analysis.aspx, I would say it might be creating a virtual CDrom drive and running from that at boot time. If this is the case, what Eset online scanner is detecting is OpenCandy on the virtual CDrom; not in the MBR for the boot drive.

To verify this assumption, open Win Explorer and determine if a CD/DVD drive is shown that is not physically installed on your PC. Note that this virtual drive may be hidden. Therefore once Win Explorer is opened, change its Options settings to show hidden files, folders, and drives per the below screen shot:

Edited February 20, 2020 by itman

[itman 1,659]

FYI - Here's how to create a virtual CD/DVD drive and have it persist on every system restart.

In Win 10, burn a .iso file to a CD/DVD disk. Win 10 will create a virtual drive to do this. At the end of the burn cycle, Win 10 will eject the disk. You believe the virtual drive is dismounted. Wrong! The virtual drive is loaded at each system boot. Worse, all the files it previously created are present on that virtual drive. The only way to get rid of the virtual drive is using device manager to uninstall the device.

OpenCandy as I understand it does the above but instead of creating the files on CD/DVD media, only creates the files on the virtual drive. One reason why OpenCandy is considered by most AV solutions as malware.

[itman 1,659]

@Tonylau321 to get rid of OpenCandy, try this first.

In Windows;

1. Open Control Panel. Click on the "Uninstall a program" link under the Programs section.

2. Determine if OpenCandy is installed. If so, uninstall it. OpenCandy is known to exist in installers from a number of software downloads. Some are listed here: https://en.wikipedia.org/wiki/OpenCandy ; notably, uTorrent. If you downloaded and installed something recently from one of the third party download sites, that most likely was the source.

Reboot into Win 10 Safe mode: https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode .

3. Now run an Eset on-demand scan Note: It appears the ver. of OpenCandy installed on your device is the rootkit one. Eset can only remove rootkits in Win Safe mode. If the Eset desktop toolbar icon is missing in Safe mode, you can access the Eset GUI via the Win 10 Start menu.

This will be an Advanced scan running at admin level.

• Select "Custom" as shown in this screen shot:

• Checkmark "This PC" which cause all drives in the system to be scanned.
• Click on "Scan as Administrator" as shown in the below screen shot

Note: Do not use the Eset online scanner. I really don't know if that product is accurate if Eset is already installed on a device.

Edited February 21, 2020 by itman

[Tonylau321 0]

On 2/20/2020 at 2:28 PM, Marcos said:

20. 2. 2020 1:33:23    Startup scanner    boot sector    MBR sector of the 0. physical disk    Win32/Pitou.J trojan    unable to clean                 

Since the MBR is infected, you will need to boot to Windows Recovery Console and run fixmbr (e.g. refer to https://neosmart.net/wiki/fix-mbr/).

Also you have the LiveGrid Feedback system disabled. I would recommend enabling it so that in case you encounter a new undetected malware or if there's a problem cleaning malware that is only partially detected (e.g. only on execution by Advanced memory scanner), the malware is submitted and a smart detection by all scanners is added.

Moreover, I would recommend considering upgrading your license to ESET Internet Security or ESET Smart Security Premium (also contains Disk Encryption and Password manager). Only these two can protect you also from bruteforce attacks (RDP, SMB, SQL,...) which is a common infection vector nowadays. A common scenario of attacks is as follows: Attackers bruteforce the password, connect remotely, disable antivirus, run ransomware and then extort money from the victim. Network attack protection also protects the machine from exploiting vulnerabilities in network protocols if the system is not patched.

Thanks for your reply, I have created a Window Recovery USB according to your recommendation.

But I would like to know if I boot from the Window Recovery Console, and run fixmbr, would that erase all my files?

Or it will simply only repair the MBR without deleting any of my files?

 

[Tonylau321 0]

On 2/21/2020 at 4:24 AM, itman said:

@Tonylau321 to get rid of OpenCandy, try this first.

In Windows;

1. Open Control Panel. Click on the "Uninstall a program" link under the Programs section.

2. Determine if OpenCandy is installed. If so, uninstall it. OpenCandy is known to exist in installers from a number of software downloads. Some are listed here: https://en.wikipedia.org/wiki/OpenCandy ; notably, uTorrent. If you downloaded and installed something recently from one of the third party download sites, that most likely was the source.

Reboot into Win 10 Safe mode: https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode .

3. Now run an Eset on-demand scan Note: It appears the ver. of OpenCandy installed on your device is the rootkit one. Eset can only remove rootkits in Win Safe mode. If the Eset desktop toolbar icon is missing in Safe mode, you can access the Eset GUI via the Win 10 Start menu.

This will be an Advanced scan running at admin level.

• Select "Custom" as shown in this screen shot:

• Checkmark "This PC" which cause all drives in the system to be scanned.
• Click on "Scan as Administrator" as shown in the below screen shot

Note: Do not use the Eset online scanner. I really don't know if that product is accurate if Eset is already installed on a device.

Thanks for your help, I did all the steps according to your recommendation, and the OpenCandy is disappear now.

The only threat left is the Trajon Pitou J at MBR as shown on the ESET Online Scanner this time. (See the attached screen shot)

So what is the step next? Boot to recovery console and run fixmbr?

[itman 1,659]

You're still using the Eset Online Scanner. As posted previously, I don't know if that product is accurate when Eset is installed on a device.

When you ran the Eset in program scan in Safe mode at Admin level that removed OpenCandy, did it also detect Win32/Pitou.J ?

[Tonylau321 0]

14 hours ago, itman said:

You're still using the Eset Online Scanner. As posted previously, I don't know if that product is accurate when Eset is installed on a device.

When you ran the Eset in program scan in Safe mode at Admin level that removed OpenCandy, did it also detect Win32/Pitou.J ?

I tried to use your recommended "On demand scan" under safe mode, but nothing happen when I click on the ESET Security. Seem the safe mode suspended it's operation.

So the only scan I could do was the online scanner.

How can I get the program scan operate?  

[itman 1,659]

3 hours ago, Tonylau321 said:

I tried to use your recommended "On demand scan" under safe mode, but nothing happen when I click on the ESET Security. Seem the safe mode suspended it's operation.

So the only scan I could do was the online scanner.

How can I get the program scan operate?  

My apologies. I thought Eset would work in Safe mode. It doesn't from the GUI interface.

You have to run Eset from the command line interface in Safe mode. How to accomplish this is detailed here: https://support.eset.com/en/kb2272-run-a-scan-in-safe-mode-and-submit-a-scan-log-for-analysis . I recommend saving the .bat file on your desktop. 

Prior to running the script, it will have to be edited to scan boot records. Left mouse click on the .bat file and select Edit. The script code is now displayed in Notepad. You will have to scan for the below lines contain NOD32 and add the /boots parameter as shown below:

) ELSE IF EXIST "%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" (
"%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" /auto /log-file=c:\ecls.txt /aind /boots

Save the file via Notepad option. Boot into Win 10 Recovery Environment and access Safe mode from there.

Now double click on the .bat file to run it. When the Eset scan is complete, reboot in normal Windows mode. You can view the Eset scan log file, ecls.txt, which will be located in the C:\ directory.

Also note that you can boot into Win 10 Safe mode directly from regular Win 10 mode. Type Recovery into the desktop search window. Select "Recovery options." Under "Advanced startup," select "Restart now." Do not select the "Reset this PC" option. The PC will now boot into Win 10 Recovery Environment.

-EDIT- I will also add that based on this thread where Eset's SysRescue method could not remove this Trojan from the MBR: https://forum.eset.com/topic/18160-having-problem-remove-trojan-win32pitouj/ , I would say that running Eset in Safe mode probably won't do so also. Appears fixing the MBR is the only way to get rid of it.

 

Edited February 25, 2020 by itman

[itman 1,659]

It also appears this Trojan is being deployed by exploiting existing system vulnerabilities: https://isc.sans.edu/diary/Rig+Exploit+Kit+sends+Pitou.B+Trojan/25068 . So you need to ensure that your system is fully patched by applying all available Windows Updates for it. If you are running Win 7, unfortunately this option is no longer available since it is no longer a supported product. Ditto for all application software; especially browsers and e-mail clients. Those also need all available updates applied to them.

Edited February 25, 2020 by itman

[Tonylau321 0]

On 2/26/2020 at 12:36 AM, itman said:

My apologies. I thought Eset would work in Safe mode. It doesn't from the GUI interface.

You have to run Eset from the command line interface in Safe mode. How to accomplish this is detailed here: https://support.eset.com/en/kb2272-run-a-scan-in-safe-mode-and-submit-a-scan-log-for-analysis . I recommend saving the .bat file on your desktop. 

Prior to running the script, it will have to be edited to scan boot records. Left mouse click on the .bat file and select Edit. The script code is now displayed in Notepad. You will have to scan for the below lines contain NOD32 and add the /boots parameter as shown below:

) ELSE IF EXIST "%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" (
"%ProgramFiles%\ESET\ESET NOD32 Antivirus\ecls.exe" /auto /log-file=c:\ecls.txt /aind /boots

Save the file via Notepad option. Boot into Win 10 Recovery Environment and access Safe mode from there.

Now double click on the .bat file to run it. When the Eset scan is complete, reboot in normal Windows mode. You can view the Eset scan log file, ecls.txt, which will be located in the C:\ directory.

Also note that you can boot into Win 10 Safe mode directly from regular Win 10 mode. Type Recovery into the desktop search window. Select "Recovery options." Under "Advanced startup," select "Restart now." Do not select the "Reset this PC" option. The PC will now boot into Win 10 Recovery Environment.

-EDIT- I will also add that based on this thread where Eset's SysRescue method could not remove this Trojan from the MBR: https://forum.eset.com/topic/18160-having-problem-remove-trojan-win32pitouj/ , I would say that running Eset in Safe mode probably won't do so also. Appears fixing the MBR is the only way to get rid of it.

 

This time I have gone to the safe mode to scan according to your steps. And the result is as following：

It is so weird that the scan did not pick up any virus/malware this time under the Win10 safe mode and running the scan under administrator level.

I am sure the Pitou.J is still in the computer since it still pop up when i restart my computer each time.

So I might as well just begin to kick off the MBR fix/repair.

How do I proceed that?

Would repair/refix the MBR erase all my files in hard drive?

Do I simply follow the recommendation as following?   

On 2/20/2020 at 2:28 PM, Marcos said:

20. 2. 2020 1:33:23    Startup scanner    boot sector    MBR sector of the 0. physical disk    Win32/Pitou.J trojan    unable to clean                 

Since the MBR is infected, you will need to boot to Windows Recovery Console and run fixmbr (e.g. refer to https://neosmart.net/wiki/fix-mbr/).

Also you have the LiveGrid Feedback system disabled. I would recommend enabling it so that in case you encounter a new undetected malware or if there's a problem cleaning malware that is only partially detected (e.g. only on execution by Advanced memory scanner), the malware is submitted and a smart detection by all scanners is added.

Moreover, I would recommend considering upgrading your license to ESET Internet Security or ESET Smart Security Premium (also contains Disk Encryption and Password manager). Only these two can protect you also from bruteforce attacks (RDP, SMB, SQL,...) which is a common infection vector nowadays. A common scenario of attacks is as follows: Attackers bruteforce the password, connect remotely, disable antivirus, run ransomware and then extort money from the victim. Network attack protection also protects the machine from exploiting vulnerabilities in network protocols if the system is not patched.

I am much appreciate all your responds, thank you very much.

[itman 1,659]

5 hours ago, Tonylau321 said:

So I might as well just begin to kick off the MBR fix/repair.

How do I proceed that?

Refer to the neosmart.net link @Marcos posted previously.

5 hours ago, Tonylau321 said:

Would repair/refix the MBR erase all my files in hard drive?

If performed properly the answer is no.

Note however that if the Trojan is recreating itself each time at Win startup time, it could very well reinfect the MBR again.

Since this discussion has been going on for a while w/o resolution, I suggest you contact your local in-country Eset support contact for malware removal assistance: http://www.eset.hk/

[Nightowl 202]

I believe the most efficient  and fast way is to just backup your important data from this computer , reboot and format all partitions and start new , if you are having troubles repairing the MBR , which can give some headache I believe.

[itman 1,659]

The following should get rid of this trojan if it is resident in the MBR:

Quote

4. Using a Windows Recovery CD/DVD to FixMBR

This is a fix rather than a scanner – you can use a Windows installation disk or Recovery CD to repair a corrupted or virus infected MBR by replacing it with standard Windows MBR code.

This is especially useful if you have previously attempted a fix using one of the above 3 methods and it left your computer unable to start up:

Windows 10, 8, 7 and Vista

• Boot using a Recovery CD or Windows Installation DVD
• At the Welcome screen, click ‘Repair your computer’ to enter the Recovery Environment
• Select ‘Troubleshoot’
• At the System Recovery Options menu choose ‘Command Prompt’
• At the command prompt type in the command: bootrec /fixmbr
• Press Enter to replace the MBR, then type Exit and press Enter
• Remove the DVD/CD and then restart your computer

https://techlogon.com/how-to-check-for-and-fix-mbr-virus-infection/

Edited February 27, 2020 by itman

[itman 1,659]

15 hours ago, Tonylau321 said:

It is so weird that the scan did not pick up any virus/malware this time under the Win10 safe mode and running the scan under administrator level.

The default Safe mode Eset scan parameters provided in the .bat script do not scan boot sectors by default. I suspect there's a reason for that in that Eset can't scan all boot sectors in Safe mode; namely sector 0 where the MBR is located. So in effect, adding the /boots parameter to the script didn't do anything in regards to a MBR scan.

[Tonylau321 0]

8 hours ago, itman said:

The following should get rid of this trojan if it is resident in the MBR:

https://techlogon.com/how-to-check-for-and-fix-mbr-virus-infection/

I finally got it all fixed! 

With the fixmbr with USB recovery device, it all went well.

Now the virus no longer appear when I did the scanning.

Thank you all