Jump to content

Malware keeps coming back after reboot


Exos
 Share

Recommended Posts

As stated on the title I have this "mserver.exe" malware that generates another "svghost.exe" that appears to be a crypto miner. Every time i remove them they keep coming back no matter what i ve tried. They get identified and removed every time but after the reboot here they come again. Some help would be greatly apreciated becase this starts to drive me crazy.. 

Addition.txt

FRST.txt

mblog.txt

Link to post
Share on other sites

Hello Exos and welcome to Malwarebytes,

Open Malwarebytes Anti-Malware.

  • On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives

  • Scroll further to Potential Threat Protection make sure the following are set as follows:

    Potentially Unwanted Programs (PUP`s)         set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s)  set as :- Alwaysdetect PUM`s (recommended)

  • Click on the Scan make sure Threat Scan is selected,

  • A Threat Scan will begin.

  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

  • If asked to restart your computer to complete the removal, please do so

  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Thanks,

Kevin...

 

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/18/18
Scan Time: 1:57 PM
Log File: f009a272-14a2-11e8-80a0-309c23623158.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3992
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DESKTOP-ENCBR82\Tasos

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 273198
Threats Detected: 14
Threats Quarantined: 5
Time Elapsed: 1 min, 49 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3992
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3992

Module: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3992
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3992

Registry Key: 1
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mserver, No Action By User, [68], [485917],1.0.3992

Registry Value: 2
Trojan.Agent.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, No Action By User, [1999], [-1],0.0.0
Trojan.Agent.AppFlsh, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, No Action By User, [1999], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 7
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, No Action By User, [68], [485917],1.0.3992
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3992
Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\KEYHOOK64.DLL, No Action By User, [1999], [491504],1.0.3992
Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\USP20.DLL, No Action By User, [1999], [491503],1.0.3992
RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL AMD+NVIDIA GPU MINER V11.0\CUDA7.5\ETHDCRMINER64.EXE, No Action By User, [82], [489367],1.0.3992
RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL AMD+NVIDIA GPU MINER V11.0\ETHDCRMINER64.EXE, No Action By User, [82], [489153],1.0.3992
RiskWare.BitCoinMiner.VMP, C:\USERS\TASOS\DESKTOP\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL AMD+NVIDIA GPU MINER V11.0\CUDA9.1\ETHDCRMINER64.EXE, No Action By User, [1403], [489366],1.0.3992

Physical Sector: 0
(No malicious items detected)


(end)


I myself excluded the ethdcrminer64.exe from getting quarantined because its a false positive since im using this part of claymore miner v.11 on several other pc's w/o any problem. As for the rest of the detections marked with "no action by user" Im 100% sure i had marked them to get quarantined 

Link to post
Share on other sites

Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

I`ve left out from the fix the entries you know and trust, I suppose Malwarebytes will flag them again with the next scan..

Next,

Open Malwarebytes Anti-Malware.

  • On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives

  • Scroll further to Potential Threat Protection make sure the following are set as follows:

    Potentially Unwanted Programs (PUP`s)         set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s)  set as :- Alwaysdetect PUM`s (recommended)

  • Click on the Scan make sure Threat Scan is selected,

  • A Threat Scan will begin.

  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

  • If asked to restart your computer to complete the removal, please do so

  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Let me see those logs in your reply..

 

 

fixlist.txt

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/18/18
Scan Time: 8:27 PM
Log File: 6bfb454e-14d9-11e8-915f-309c23623158.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3994
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DESKTOP-ENCBR82\Tasos

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275698
Threats Detected: 10
Threats Quarantined: 9
Time Elapsed: 1 min, 51 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994

Module: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994

Registry Key: 1
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mserver, Quarantined, [68], [485917],1.0.3994

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 5
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994
Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\KEYHOOK64.DLL, Quarantined, [1999], [491504],1.0.3994
Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\USP20.DLL, Quarantined, [1999], [491503],1.0.3994
RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\TOOLS\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD+NVIDIA GPU MINER V11.0 - CATALYST 15.12-18.X - CUDA 8.0_9.1_7.5_6.5.ZIP, No Action By User, [82], [489368],1.0.3994

Physical Sector: 0
(No malicious items detected)


(end)


I hope i ve done everything right. I also attached a photo of a popup i got after the reboot malwarebytes triggered.. Note that i did but no longer have GPU-Z installed

Fixlog.txt

123.jpg

export sum.txt

Link to post
Share on other sites

Obviously there must be a dropper active that returns the infection after removal. Run FRST again let me see fresh logs..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

 

Link to post
Share on other sites

Thanks for those logs Exos,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

FRST should initiate a reboot, if not make reboot yourself.

Next,

Open Malwarebytes Anti-Malware.

  • On the Settings tab > Protection Scroll to and make sure the following are selected: Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives

  • Scroll further to Potential Threat Protection make sure the following are set as follows:

    Potentially Unwanted Programs (PUP`s)         set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s)  set as :- Alwaysdetect PUM`s (recommended)

  • Click on the Scan make sure Threat Scan is selected,

  • A Threat Scan will begin.

  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab

  • If asked to restart your computer to complete the removal, please do so

  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.

  • Wait for the prompt to restart the computer to appear, then click on Yes.

  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.

To get the log from Malwarebytes do the following:

  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options: > From export you have two options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     

  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

If Malwarebytes finds any entries Quarantine them all, then run a fresh scan after a reboot..

Let me see those logs...

Thank you,

 

 

 

fixlist.txt

Link to post
Share on other sites

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/18/18
Scan Time: 10:28 PM
Log File: 4ffcf963-14ea-11e8-834d-309c23623158.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3994
License: Trial

-System Information-
OS: Windows 10 (Build 16299.248)
CPU: x64
File System: NTFS
User: DESKTOP-ENCBR82\Tasos

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275875
Threats Detected: 12
Threats Quarantined: 11
Time Elapsed: 1 min, 48 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994

Module: 2
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994

Registry Key: 1
Trojan.BitCoinMiner, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\mserver, Quarantined, [68], [485917],1.0.3994

Registry Value: 2
Trojan.Agent.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, Quarantined, [1999], [-1],0.0.0
Trojan.Agent.AppFlsh, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|APPINIT_DLLS, Quarantined, [1999], [-1],0.0.0

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 5
Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\MSERVER.EXE, Quarantined, [68], [485917],1.0.3994
RiskWare.BitCoinMiner, C:\WINDOWS\TEMP\SVGHOST.EXE, Quarantined, [82], [485447],1.0.3994
Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\KEYHOOK64.DLL, Quarantined, [1999], [491504],1.0.3994
Trojan.Agent.AppFlsh, C:\WINDOWS\SYSTEM32\USP20.DLL, Quarantined, [1999], [491503],1.0.3994
RiskWare.BitCoinMiner, C:\USERS\TASOS\DESKTOP\TOOLS\CLAYMORE'S DUAL ETHEREUM+DECRED_SIACOIN_LBRY_PASCAL_BLAKE2S_KECCAK AMD+NVIDIA GPU MINER V11.0 - CATALYST 15.12-18.X - CUDA 8.0_9.1_7.5_6.5.ZIP, No Action By User, [82], [489368],1.0.3994

Physical Sector: 0
(No malicious items detected)


(end)


Some things i would like to point out.
1. i found a sys at this location C:\Windows\system32\drivers\iaStorE.sys with that very interesting virustotal entry https://www.virustotal.com/#/file/f44eb647df4ca6482fb6120935d21ca8410fce19e4c51978ea3016367514cb93/detection

2. i got the message displayed in the "message.jpg" picture i uploaded right after the frst triggered reboot. I tried to translate it in red

3. Trying to follow this step of your guide " When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. " i noticed that, as displayed in the pic i uploaded (mwb.jpg) there is just an export summary button and not export summary after deletion that doesnt follow up with a reboot of the system. Not sure if im doing smthing wrong here

Hope i didnt confuse you too much with my broken english and random infos :P
 

Fixlog.txt

export sum.txt

export.txt

message.jpg

mwb.jpg

Link to post
Share on other sites

Also i found this comment about "iastore.sys" at VirusTotal community:

" This is a part of Trojan.Siggen7.35349. The following files were detected: iaStroE.sys, mserver.exe and svghost.exe. The last two files were detected as RiskWare.BitCoinMiner by Malwarebytes. Both files signed by "Xi' an JingTech electronic Technology Co.,LTD" but certificate was revoked. "

That seems to fit my case

Link to post
Share on other sites

Hopefully that entry you mentioned will make the fix good this time...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. FRST will probably initiate a reboot, if not make one manually.

Next,

Run Malwarebytes scan, quarantine any found entries, reboot and scan again..

Post those logs...

 

 

fixlist.txt

Link to post
Share on other sites

I certainly do believe the infection is gone if repeated scans find nothing... Malwarebytes maybe corrupt or may have been exploited to turn off realtime protection. A clean install is best way forward...

Totally Remove Malwarebytes from your system:

Download the latest version of MB-Clean by clicking this link: https://downloads.malwarebytes.com/file/mb_clean save to your Desktop, or a folder of your choice.
 
  • Close all open applications
  • Double-click and run mb-clean.exe
  • A prompt with an option to clean up the system will appear:


Yes - will proceed with backing up the license key (Malwarebytes 3.x only) and initiating the cleanup process. (Recommended)
No - will exit the utility

Once the cleanup process is completed, a prompt will appear:

Yes – will proceed and post reboot you will be prompted to continue with the downloading, installation and activation of latest version of Malwarebytes 3.x (Recommended)
No – will exit the utility and you will not be prompted (post reboot) to download, reinstall and re-activate (Not Recommended)

We recommend rebooting immediately. Additionally, stopping at this step is not recommended and will most likely not resolve your issue(s).

Upon reboot, a prompt will appear:

Yes - will download, install and activate the latest version of Malwarebytes 3.x (Recommended)
No - will exit the utility and the cleanup process is complete...

A log file ("mb-clean-results.txt") will be on your desktop

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Thank you,

Kevin...
Link to post
Share on other sites

That did the trick and real time protection is working again. After several reboots and scans seems like everything is clean again.

Kevin i have no words to express my gratitude.. I sincerely thank you a lot for the time and effort u put into this! You are the man and wish you the best! :D:D

Link to post
Share on other sites

We need to clean up tools etc, specifically clearing Restore Points, they will be exploited..

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we may have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.