Jump to content
lavt91

Crazy remote trojan [with pics] survived reformat!

Recommended Posts

So basically, I got infected with the worst virus/trojan/malware I’ve ever seen in 20+ years of working on PCs. At this point, I’m really just looking for some insight and information as to what happened!

On 6/15, I was playing a game and decided to pause and minimize the window to take a shower. Roughly 15 minutes later, I came back into the room to see my mouse moving across the screen. At first, I thought some sort of popup had appeared (like those old ones you used to see back in the day with a fake dialogue box). Upon looking closer, I realized that this was actually my cursor moving towards the “Save” button on Chrome trying to download a file. I immediately grabbed my mouse and moved the cursor, and for a brief moment there was a “struggle” of sorts. It felt like whoever was controlling my mouse tried to fight me for control for a second.

I don’t really know what info is relevant and what isn’t, so I’m just going to describe everything. The window that was open was for “KO Player” - this is the file that was trying to be downloaded. From what I looked up, it appears to be an Android emulator. I decided to go through my download history, and I found a piece of software called “AnyDesk.” From what I understand this is a remote desktop access software, so I’m not entirely sure why they would need this if access had already been gained to my machine. I ended up finding traces of this in my appdata “Roaming” folder...more on that later.

I really should have pulled the plug immediately, but I wasn’t thinking at the time. I decided to check my history, and I saw that the hacker had been searching my emails for anything to do with cryptocurrency or bitcoin:

64fRIjV.jpg

Because I had 2FA enabled on all my accounts, none of the hacker's attempts to change my passwords were successful.

I ended up going to the task manager to see if there were any strange processes that shouldn’t be running. At this point, I found a process called “Windows Fing H” - it had also been set as a startup item with high impact. I killed the process, which I hope stopped the remote connection.

B9FPJAh.jpg

I cannot find anything about this process. I was, however, able to trace the task manager process to the file’s location. The startup process was located here:

C:\Users\ME\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

It led to a .scr file called “Windows12.scr” - in addition, there’s a strange 4.0.3.t.dat file in there that I’m not really sure where it came from. Perhaps it has to do with .NET framework? More info on the file:

NWsf8S2.jpg

Okay, so this is when it gets weird – I decided to just do a full reformat. So I did – completely wiped the SSD twice, including the recovery partitions, until it was just “unallocated space.” I should mention that I also had an internal HDD that I didn’t do anything to, and it was plugged in during the process. This is dumb of me, and I should’ve removed it first.

Regardless, I wiped the machine, reinstalled Windows, so far so good. A few hours into it, my paranoia gets the better of me and I decide to start snooping. I check the Event Viewer and things are going crazy:

KsLewe3.jpg

Alright, so at this point I don’t have more screenshots because they’re on the infected machine. Not sure how to grab them off without infecting another machine without snapping a photo of the monitor itself. But here’s what happened next:

Using the event viewer, I find an application that was installed shortly after the reformat. Somehow, 7Zip was put into the Temp folder (I had not installed 7Zip yet), and it extracted something called “PACKAGE.7z.” This contained a file called “Chrmoe Sevrice.exe” or something along those lines – clearly fishy.

So I keep searching more, and I then find files in the roaming folder containing extractions from Chrome. They were text documents, each with a username and password for every domain that had been saved. Luckily I’ve used a third-party password manager for the last several years so the old passwords in Chrome were long gone – but still, a tool had been used to extract saved images and forms from Chrome. If I had used Chrome to save passwords, these people could’ve done some serious damage. This same process was repeated for my other profile in Chrome, which I primarily use for work. I’m not exactly sure if they were able to monitor the tool in real time, or if the goal is to go back to the machine later when unoccupied (using a remote connection) to retrieve the files containing passwords and logins. I’m not a virus expert, so I’m not really sure what’s possible these days.

I should mention that this time I unplugged the internet right away. When restarting, Windows would error because it could not connect to a file called winup.js – I also remember seeing something like winit.js, and there was a .vbs file that was constantly trying to launch. This would only happen with the internet disconnected, so I’m guessing it has something to do with a remote connection. I also recall seeing galcod.scr at one point in this process, but I can’t recall if that was pre-format or post-format.

So, what am I dealing with here? Is it most likely that the virus was dormant on my secondary HDD? Some of my tech buddies have also said my hardware may be compromised – I’ve heard everything from my network card’s MAC address being compromised to peripherals with upgradeable firmware being hacked (gaming monitor, mouse, etc).

Regardless, the machine is now sitting unplugged in a closet. I reformatted (using DBAN) the other PC in my house to be sure nothing got transferred over the network, and the machine I’m on now is brand new. I also threw my old modem and router in the trash and bought a new unit just to be safe. Made sure to change every password, including the router login.

I should also mention that during this time, neither MalwareBytes, HitmanPro, or Adwcleaner detected anything – even when scanning the files I knew to be malicious. However, Windows defender did pop up warning that the .js file was detected as “Trojan:JS/Foretype.A!ml”.

All my machines now have MalwareBytes Premium as well as BitDefender (paid) – so I’m definitely going to be cautious moving forward. As to how I got the infection, I’m guessing it’s because I stupidly downloaded a software torrent I shouldn’t have. I always buy my software, but sometimes I would download something first (like a game) to see if it would run on my machine before purchasing it on Steam. Regardless, I’ve learned my lesson, and I won’t be torrenting anything anymore. 

I have done all the necessary precautions (changed every password, removed all authorized devices from my accounts, etc). I even printed new 2FA backup codes (voiding the old ones) in the rare case that the hacker was able to print out my old codes when they had access to my Google account.

Any advice or feedback would be appreciated. Thanks!

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists with this computer.

Wait for further instructions
====


 

Share this post


Link to post
Share on other sites

Thank you for your quick reply! However, there are two concerns:

1) The machine is infected and cannot be connected to the network. I could put the tool on a USB drive, but then it would be risky bringing the log files back to another machine.

2) Same thing with the log files - how can I transfer .txt documents to a working computer while ensuring I'm not infecting it?

EDIT: Well, I tried to post this but the forum marked it as "spam" so I'll add more info. Basically, I'm just super paranoid that this trojan/virus could spread to another drive when plugging it in. As of now, I have a brand new modem/router and the infected machine has never been on the network. Just trying to figure out a way I can do it without worsening the issue. I think I mentioned this in my original post, but whenever I restart the machine WITH the internet connected (even for a second), it launches a sketchy file in the background. When booting with no internet connection, I get a Windows popup saying the process failed to start.

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Using the good computer download and run this program in a USB drive.
It will disinfect the drive (if needed) and will protect the drive from future infection.

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.

  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.


Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
===

Using a Good computer download the Farbar Recovery Scan Tool (FRST) to the protected USB.

Mount the USB on the compromised computer. Copy the program to the Desktop of compromised computer.

Open the program as an Administrator and scan the computer.

Copy the FRST.TXT and the Addition.txt logs to the USB.
.txt logs will not be infected and will not transfer the malware to it.

Copy the files to the good computer.

Post the logs for my review.

Wait for further instructions.


 

Share this post


Link to post
Share on other sites

Hi there!

Thank you very much for your clear instructions. I am running a flash drive off a brand new laptop with nothing on it. However, Flash_Disinfector.exe doesn't run. Nothing happens. The first time, I got a popup asking if the program installed correctly.

Right now, I'm performing Windows updates (the machine is new so it's out of date) in hopes this fixes the problem. Do you have any suggestions or alternatives? Thanks again!

Share this post


Link to post
Share on other sites

Hmm...I did full Windows updates, made sure all .NET framework was installed, even tried running Flash_Disinfector.exe in safe mode. Also tried compatibility mode for XP/7. I can't get the software to run or even open! Any help would be appreciated.

Share this post


Link to post
Share on other sites

Did you tried to run the program as an administrator?

p.s.

Could the program been quarantined by your virus protection program?

 

Share this post


Link to post
Share on other sites

I tried restarting in Safe Mode with Networking to redownload the file, hooked up with an ethernet cable, and got it again from the link provided above. I forgot to mention it before, but I am running it as administrator. I honestly have no idea - when I run it, nothing happens.

Share this post


Link to post
Share on other sites

Hi,

What is suspect is that your Flash drive is already protected.

It's becoming more and more as a standard.

Share this post


Link to post
Share on other sites

Thanks for your help. I actually read some other threads on here and ended up using Panda USB Vaccine, which worked fine. :)

Here are the logs you requested.

FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Hi,

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Hi there. Thank you again for your help. I have attached the Fixlog.txt file you requested.

Upon restarting, those suspicious processes no longer started, so that's a good sign! 😃

Do you have any insights into what type of infection this is?

Also, should this avoid the infection returning after a reformat? I'm still a bit puzzled as to how that happen. I appreciate your expertise! Thanks in advance.

Fixlog.txt

Share this post


Link to post
Share on other sites

Hi,

Restore point was successfully created.


Processes closed successfully.
C:\Users\lavt91\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winjs.lnk => moved successfully
ShortcutAndArgument: winjs.lnk -> C:\Windows\system32\wscript.exe =>  /E:vbscript "C:\Users\lavt91\AppData\Roaming\winjs.vbs" => Error: No automatic fix found for this entry.
"C:\Users\lavt91\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winjs.lnk" => not found
"C:\Users\lavt91\AppData\Roaming\winjs.vbs" => not found

The winjs.lnk file => moved successfully. That means deleted by the fix.

The .vbs payload came from your /E: drive wich most likelyi was your external drive.

Check your computer and external drive if you have a shortcut with this command.

ShortcutAndArgument: winjs.lnk -> C:\Windows\system32\wscript.exe =>  /E:vbscript "C:\Users\lavt91\AppData\Roaming\winjs.vbs" => Error: No automatic fix found for this entry.

Share this post


Link to post
Share on other sites

Hi there. Thank you! During the reformat, I did not have an external drive, but I did have another internal drive (besides the SSD, which is where Windows was). Is it possible the .vbs payload was laying dormant on this external drive?

If so, how would I go about searching for this file? Would it be hidden? That may also held identify the source of the infected file (aka whatever I downloaded, most likely).

Share this post


Link to post
Share on other sites

Sorry, I meant:

Is it  possible the .vbs payload was laying dormant on this internal drive?

Share this post


Link to post
Share on other sites

Hi,

Lets check for the file.

Run the Farbar program .exe as an Administrator.

In the Search text area, copy and paste the following:
winjs.vbs
Once done, click on the Search File search button and wait for FRST to finish the search
On completion, a log will open in Notepad. Copy and paste its content in your next reply
===

p.s.
You may have to run the Farbar program on the external drive also.

Share this post


Link to post
Share on other sites

Yes! I will follow these steps and update progress tonight.

Share this post


Link to post
Share on other sites

Hi there. I ran the scan, and no additional results were found. If the infection came from the E drive, that must mean that the removable device I installed Windows from (which was made on the infected machine, unfortunately) must have been compromised. My guess is that during the remote connection, the .vbs payload was added to the bootable USB install.

Attached is the file. Can I repeat these same steps (searching with Farbar) on other machines to ensure they are clean?

Thanks again for all your help.

Search.txt

Share this post


Link to post
Share on other sites

Sure. Install the program on the other machine and check.

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.