Tracing how I got a trojan

[steerty]

Hello everyone,

 

This morning when I woke my laptop from sleep I noticed really strange behavior. 

Everything felt slow and my fans were spinning pretty high. 

The moment I opened task manager however, the slowdown stopped.

This struck me as really odd and my first thought was a virus/cryptominer. And lo and behold, when I opened perfmon there was a process notepad.exe using all cpu resources. 

I immediately downloaded Malwarebytes and scanned and it found 15 threats and 1 potential threat, see the log attached. 

Now I consider myself a tech savvy guy and I always double check whenever I run a program to make sure it's legit. I also often use virustotal when I'm not sure.

I started searching my system for any weird folders/behavior and what struck me as odd was the fact that both 'windows defender' folders got changed at the same time. Thinking about that, I also noticed that since 2 days ago I had a notification in my notification center that the Windows Security Center Service was off.

I also searched through the Windows event viewer and on 07/08 there was a lot of strange stuff. 

At around 2 in the morning Windows update triggered installing 2 packages, see the logs. As soon as these packages got installed, a totally new event got written to history, namely powershell that remotes to a malicious website. I've also included these logs. 

So right after 2 updates got installed on 07/08 at around 2 in the morning, a trojan manifested. The cryptominer only manifested 25/08 at around 9:15 in the morning. 

My question is, is there any way I could trace how I exactly got this trojan onto my system? I've searched through all file history, browser history and I've done a full virus scan but I can not trace as to how I got infected. I'm willing to try anything. 

 

Thanks a lot in advance. 

 

PS: the trojan it removed called WMMGR.EXE is really new. The day I got infected was the first day google results showed up of this. 

 

Applications and services log - windows PowerShell.txt

windows logs - setup.txt

Malwarebytes log.txt

Edited August 25, 2018 by steerty

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Wait for further instructions
==============================

[steerty]

Hello Nasdaq,

 

Thank you very much for your time. I have attached the logs. 

 

Kind regards. 

Addition.txt

FRST.txt

[nasdaq]

Hi,

Do you have any issues with Avast?

Lets check these out.

HKLM\SYSTEM\CurrentControlSet\Services\aswSP <==== ATTENTION (Rootkit!)

HKLM\SYSTEM\CurrentControlSet\Services\aswMonFlt <==== ATTENTION (Rootkit!)
HKLM\SYSTEM\CurrentControlSet\Services\aswSnx <==== ATTENTION (Rootkit!)

Malwarebytes Anti-Rootkit

Please download Anti-Rootkit BETA and save it to your Desktop.  <check the version below....

• Right-click on the icon and select Run as administrator to start the extraction of the program;
• Click Yes to accept the security warning that may appear;
• Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
• Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
• Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
• Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
• After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
• Please copy and paste the entire content of that log in your next reply;
  

If you have any problems running either one come back and let me know.
===

--RogueKiller--

• Download & SAVE to your Desktop Download RogueKiller
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or above, right-click the program file and select "Run as Administrator"
• Accept the user agreements.
• Execute the scan and wait until it has finished.
• If a Windows opens to explain what [PUM's] are, read about it.
• Click the RoguKiller icon on your taksbar to return to the report.
• Click open the Report
• Click Export TXT button
• Save the file as ReportRogue.txt
• Click the Remove button to delete the items in RED  
• Click Finish and close the program.
• Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
  

=======

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS

• Download TDSSKiller and save it to your Desktop.
• Doubleclick on TDSSKiller.exe to run the application.
• Then click on Start Scan.
• If a suspicious file is detected, the default action will be Skip, click on Continue.

• If an infected file is detected, the default action will be Cure, click on Continue.
  

• Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
  

• It may ask you to reboot the computer to complete the process. Click on Reboot Now.

• If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  

• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.

• Click the "Scan" button to start scan.
• Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
• Please paste the contents of that log in your next reply.
  

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Wait for further instructions.

 

[steerty]

Hello Nasdaq,

 

Thanks again for your time. I did not have issues with avast but I installed it just to be sure.

I figured out what the cause was.
It was a malicious game that was downloaded on my computer some time ago. I've searched into it and I'm not the only one that had this issue.

I will do a full clean install of my system.

Thanks again and kind regards.

 

 

[nasdaq]

Glad we could help.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks