Jump to content

Rootkit.Fileless.MTGen and Trojan.Fileless.MTGen


Recommended Posts

I unfortunately was fooled by the "Update Adobe Flash popup" and got the following virus:

Rootkit.Fileless.MTGen and Trojan.Fileless.MTGen

Initially I was not able to open Malwarebytes but used an old version and the chameleon option which did allow me to upgrade to the most recent version with the most recent signatures.

Next I disconnected from the internet.

I then did a default  threat scan and had three malicious registry key entries which I quarantined.  A reboot and repeat default scan resulted in one further infected key being identified.  I then rebooted and did two subsequent scans with the rootkit enabled and no malicious items were detected.  I will enclose the logs of the two infected scans and then the clean scan numbered in sequence.

1) What I would like to know is whether my system is clean of virus, Trojan, and rootkit risk and that none of my files are at risk of being stolen from my hard drive, nor is my computer vulnerable to become a bot.  The reason I ask, is because on the Malwarebytes website I read that these fileless viruses are capable of "disappearing" from detection.  However, did the injected files open up other ways of  gaining access to the computer that are not identifiable?  Can this malicious event install some sort of executable file or script which is not detected after the infected items are removed?

2) Should I delete the 4 quarantined virus keys from the virus vault?  I have no use for them unless you may need them in the future for some sort investigation. Also,  I think I have the URL for the bogus web site and can send that to you if you have a need for it.

Malwarebytes Virus Scan 03202018 Scan 1.txt

Malwarebytes Virus Scan 03202018 Scan 2.txt

Malwarebytes Virus Scan 03202018 Scan 3.txt

Link to post
Share on other sites

Hello HardDriveWhiner and welcome to Malwarebytes,

When Malwarebytes quarantines entries always make sure your system is running correctly over a couple of days or so, when that is confirmed it is safe to delete them...

Fileless malware/infection is written direct into Memory (RAM). The code is generally injected into a running process which is then used as an exploit. Typical contract fileless malware can be injected by visiting a malicious website. You were more than likely redirected after clicking the an attacker's advert or similar. As the malware doesn't exist as a file, it can often elude usual security such as your AV program.

Run the following and post the produced logs...

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin

 

Link to post
Share on other sites

Hi Kevin,

Thanks for your help.  I downloaded Farbar and ran it with Administrator Priv.  Here are the two files.

After I posted on Malewarebytes, but before your reply, I system restored to an earlier date (Mar 8).  That executed properly.  I also ran a MalwareBytes and Kaspersky 2018 scan which did not show any malware.  (There were a couple of old programs on another logical drive that had minor vulnerabilities according to Kapersky, but no malicious entries.)  (BTW Mcafee never showed any malware after the infection!!)

I ran netstat -ano and did not come up with any definite PID concerns on .  I did have a number of SVChost processses running and a search for SVCHost.exe turned up: 1) Windows (C:\Program files (X86)\Malewarebytes anti-malware\chameleon)        dated 3/10/2016    2) System32 (C:\Windows\)  3) SYSWOW64 (C;\Windows\)

I am enclosing the pictures of the netstat result in case it is of use:

I don't know if a system restore would solve a potential fileless malware.  I guess the registry would be overwritten but can the fileless malware write to the system restore backup registry or otherwise survive a system resotre?  If the system restore is sufficient I won't do anything more. 

I was wondering what you meant by "exploit"?  If it is injected into a running process does it then write a file, script, or executable to some location to be run in the future?  Would a system restore be sufficient?  I also have a complete backup of the partition and logical hard drive and  I think I would be capable of overwriting the current system installation but I don't know for sure if it will work and I am reluctant to go down this road.  However, it is exceedingly important to me that there not be any vulnerabilities left so I will do that if you think there is any chance of residual malicious software and you recommend it.

n the files below, the executable PCOP.exe is software I wrote so ignore it if you think it is suspicious.

FRST.txt

Addition.txt

 

Netstat1 .jpg

Netstat 2.jpg

Link to post
Share on other sites

Thanks for the update and logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:
    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Window
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Let me see those logs in your reply.

One other point, you have McAfee security suite installed, you also have Kaspersky installed although disabled. Even though Kaspersky is disabled it has active drivers that run from Boot, Kaspesrky should be uninstalld at your earliest convenience or the active drivers will cause problems for your system...

Use Kaspersky removal tool available here: https://support.kaspersky.com/common/service.aspx?el=1464#block1

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

Hi Kevin,

Enclosed are the MalwareScan results after running FBAR fix.  It is called: Scan Results After Fix.Txt.

Adware came up clean on the first pass.  File enclosed.

Sophos Virus Removal:  0 Threats

I am enclosing a FRST.txt which is from a scan after the cleaning.

I am concerned about two items.  The Edge extensions which are dated 3/20/18.  Edge was the application that prompted the popup, and I would like to eliminate these two whitelisted items because I am concerned that the fileless virus may be inserted into either of these extensions and lay dormant there.  I have not run edge since the intrusions because I am afraid to do so.  Could you send me back a fixlist with these two items to remove them from the whitelist.

Thanks.

 

 

Scan Results After Fix.txt

AdwCleaner[C0].txt

FRST.txt

Link to post
Share on other sites

Here are the two files from the 2nd Farbar recovery Scan.  They are FRST.TXT and Addition.TXT  

I am concerned about two items in the FRST.TXT.  The Whitelisted Internet Edge extensions which are dated 3/20/18.  Edge was the application that prompted the popup, and I would like to eliminate these two whitelisted items because I am concerned that the fileless virus may be inserted into either of these extensions and lay dormant there.  I have not run edge since the intrusions because I am afraid to do so.  

Could you send me back a fixlist with these two items to remove them from the whitelist.

Thanks

FRST.txt

Addition.txt

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.