Jump to content

Francesco1992

Members
  • Posts

    7
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Task manager, not task bar, sorry for the typo
  2. Thank you for your reply but i suppose we are not understanding each other, there is activity that reads random files and uses the win32 keyboard input api which the second part makes me think of a keylogger, all this activity ceases immediately upon launching the task bar or antivirus softwares and that by an heuristic standpoint its almost obvious that its some kind of malware activity, why on earth would a "legit" problem cease immediately upon launching softwares that check for processes in the memory? Makes no sense. There is no way to explain this behaviour with a bunch of register entries or free space on the hard drive, specially the win32 keyboard api usage but even more the ceasing of those activities upon launching the aforementioned softwares. I have delayed the formatting for 2 days to give you guys the chance to examine a yet undetected malware and add it to the DB but not knowing what is this piece of software doing precisely I'm not going to delay the formatting any longer, sorry, so yeah you can close the thread. Hopefully when another user will report this anomalous behaviour that hints at the same malware you will examine the situation more deeply and possibly figure out what it is, where it comes from, what is it doing. So yeah, I'm formatting right now so have a good day and when/if this malware shows again on some other user take the chance to investigate it. Bye and stay safe!
  3. I do surely intend to format the HDD and all the partitions within, the reason I'm delaying the formatting is solely to give you guys a chance to examine what could be a new, still undetected, malware, to add it to the DB as other people's machines could be already infected and the owners may be unaware, if you're not interested of course no problem, i'll proceed with the formatting and you can close the thread. The vector will probably stay unknown if it is some exploit in an application or windows itself, yet the payload if found could be analyzed to understand what the hell it does and add it to the Malwarebyte's DB, something i could try is detecting the running processes through Python, as the Python interpreter doesn't seem to trigger the self-kill function of this malware, while the task manager and the aforementioned softwares do, then its a matter of checking which processes are running, save a list of them, open the task manager and check again what's running, removing from the list those that are still running, restart and repeat this until i get 1 or 2 processes that i can check manually what they are, if i manage to find the malware this way i can then proceed to attempt decompiling it and see what does it do. If you have better ideas just let me know, i suspect copypasted replies with basic malware-scans won't be very useful with a new undetected malware. Of course, again, if you're not interested just let me know and i'll proceed with the formatting right now so you can close the thread.
  4. Fixlog: Eset In regards to the issues and concerns, the malware was not detected nor removed as it immediately kills itself as soon as those softwares are launched, with the exception of Farbar, it seems it didn't kill itself when Farbar was launched but i may be wrong, nevertheless it did it with all the other softwares. The only 2 files found by ESET are the same file downloaded twice, Cheat Engine, a software that i use mainly to check other software's memory, it is a safe software but due to the bundleware present in the installer (wich can be unticked, and i indeed unticked it) it may have been detected as FusionCore.BB but its absolutely safe. So far it seems that all the softwares you mentioned, all the procedures i have followed carefully, didn't remove nor detect this malware, it seems to be scanning the memory looking for specific processes that, once found, makes the malware kill itself being no more in the memory and so undetectable as file scans do not seem to detect it also. Btw it would have been nice a disclaimer warning that Farbar would have wiped all my cookies so i would have had the chance to back them up but nevermind. The point is that this malware seems to not be detected yet by all the aforementioned softwares by looking through the files, it may be possible to detect it in memory but it kills itself as soon as it detects some specific processes and what's even more interesting is the way it could have made its way in, there's no way on earth i downloaded and executed something shady, not on this machine, i can guarantee it. So the way it made its way in is probably through some RCE in one of the "mainstream safe softwares" installed on this machine or through some lan-related windows exploit by infecting another machine in my lan, wich would be even more strange considering that all the other machines connected to my lan are running GNU/Linux distributions and no piece of software, no matter how safe it is, ever received root privileges. This is the reason of the topic's title. Any more test you'd like me to perform to try detecting it and adding it to the malwarebytes DB before i proceed with formatting this Windows installation (and all the partitions just to be on the safe side)?
  5. MalwareBytes: AdwCleaner: Farbar: Addition: FRST:
  6. Useful informations i forgot to mention, it seems to affect no software while the cursor is set to busy, with one single exception: Jetbrains Pycharm, which have been installed years ago from its official website so yeah, it haven't even been updated in a long time so there's not much suspicious about that, but it may give an hint on what this software is doing, one of the main feature of Pycharm is that while you type in the editor it constantly writes the changes to the disk, it may be the malware and Pycharm fighting over a file write or read access? What i experience on Pycharm is short freezes while typing and sometimes the arrows keys only won't work until i press some other alphanumeric key. Again, as the task manager gets launched or malwarebytes gui, all of this abruptly ends and won't happen again until the next restart.
  7. I have been noticing from now quite some days unusual activity on my Windows 10 machine, every now and then i get the busy cursor for absolutely no reason at all, no matter what softwares are opened or closed, nor wich one has focus at the time, that's clearly something in background but what precisely is unkown to me. Now we get to the "fun" part, on this machine i launch no executable at all if its not a widely known safe mainstream software (Chrome, Discord, Steam, Telegram, etc) with no exceptions whatsoever, also i believe i'm enough knowledgeable to know exactly what I'm doing at any given time, for this reason i have never needed an antivirus in the last 10 years. I know for a fact that it isn't related to anything i downloaded (willingly or accidentally), for this reason i suspect a RCE 0day in some mainstream software but i have no idea on which software specifically. Just to be clear i haven't also updated any driver nor connected to the computer any physical device that could have been somehow compromised, this whole thing came out of the blue. The fun part is not even over, this malware (or whatever it is) seems to constantly scan the memory looking for specific processes, when it detects that the task manager or malwarebytes it immediately kills itself and won't be restarted until the next computer restart. I have obviously already checked and double checked all processes that get launched at the computer boot up and all services, finding nothing out of the ordinary for a normal Windows 10 Home installation. Crazy, isn't it? Doing a scan with Malwarebytes detected only a couple of adware executables in the download folder that i have never launched, you know, the lovely javascript auto-downloads trickeries, due to my large download bandwidth they got downloaded even before being able to click cancel, but I have always been fully aware of what they are and i have never launched them, in fact after Malwarebytes detected them and quarantined them, a computer restart made the sneaky malware reappear, showing that it clearly isn't related to those never launched files (quite obvious, i add), and guess what, this sneaky boi immediately killed itself again as i opened the Malwarebytes GUI to start a scan, wich indeed ended with zero results. I am going to format this Windows 10 installation tomorrow evening anyways, malware kept or removed, but as this could be the "next big thing" you may be interested in some experimentation to add it to your DB before the competition, I'm intentionally delaying the formatting of 1 day for science and progress (eheh). If you want me to do some tests let me know, i may be offline for few hours in a bit but i will come back reading before i format so i can test stuff, don't worry.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.