Jump to content

Recommended Posts

Seems like I have the same issue as topic - 231920-trojanwin32fuerybcl

Malware bytes does not detect the virus\trojan, and every time I delete it from registry, startup menu and romaing directory it keeps coming back. 

It creates files in romaing directory - different names, different dlls, the different exe files are always signed microsoft files.

I want to try the solution you suggested in the topic above - but from where can I get the relevant fix list?

Thanks, AyaFRST.txtAddition.txt

Link to post
Share on other sites

Hello itamom and welcome to Malwarebytes,

Run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Protection Scroll to and make sure the following are selected:

    Scan for Rootkits
    Scan within Archives
     
  • Scroll further to Potential Threat Protection make sure the following are set as follows:
    Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended)
    Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)
     
  • Click on the Scan make sure Threat Scan is selected,
  • A Threat Scan will begin.
  • When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab
  • If asked to restart your computer to complete the removal, please do so
  • When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open Malwarebytes once more to retrieve the log.


To get the log from Malwarebytes do the following:
 
  • Click on the Reports tab > from main interface.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Please download AdwCleaner by Malwarebytes and save the file to your Desktop. https://downloads.malwarebytes.com/file/adwcleaner
  • Right-click on the program and select Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is ?updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply. ?


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns..

Thank you,

Kevin...

fixlist.txt

Link to post
Share on other sites

Hi Kevin,

Thanks for your reply.

I donwloaded the fixlist.txt file and copied to FRST directory, but after opening FRTS I couldn't find the FIX button - where is it?

(I tried running the scan without the fix button but it didn't find anything)

 

Thanks, Aya

Link to post
Share on other sites

HI,

 

I did all the ablove but it didn't help.

I run FRST and clicked on Fix - log attached.

Boot to SafeMode

I scanned with Malwarebytes it didn't find anything - log attached, same with MSRT 

But I know it is still there:

I checked in task manager "startup" - I found new microsot entry this time "Windows Mobility Center" - I couldn't disable it.

    The file that it opens is in C:\Users\User\AppData\Roaming\YXLbnz 

    In this folder there are 2 files: Microsoft executable and dll dwmapi.dll

    The virus is coming back every time under different Romaing\xxxxxx directory in different dir name - (YXLbnz was in the last time) different dll and different signed microsoft executable. 

I uploaded the dll to VirusTotal, you can see the results in the bottom (could do it only in safemode, normal boot I couldn't do it):

any suggestion what to do next?

 

Virus total DETECTION

Ad-Aware Trojan.GenericKDZ.57258
Antiy-AVL Trojan/Win64.GenKryptik
SecureAge APEX Malicious
Arcabit Trojan.Generic.DDFAA
Avast Win64:Malware-gen
AVG Win64:Malware-gen
BitDefender Trojan.GenericKDZ.57258
Bkav W64.HfsReno.
CrowdStrike Falcon Win/malicious_confidence_90% (D)
Cylance Unsafe
Emsisoft Trojan.GenericKDZ.57258 (B)
eScan Trojan.GenericKDZ.57258
ESET-NOD32 A Variant Of Win64/GenKryptik.DOLT
FireEye Generic.mg.0d4fda6f34de2d2d
Fortinet W64/Kryptik.BQA!tr
Ikarus Trojan.Win64.Dridex
MAX Malware (ai Score=81)
MaxSecure Banker.Win64.Emotet.sb
McAfee Drixed-FID!0D4FDA6F34DE
Rising Trojan.GenKryptik!8.AA55 (TFE:5:9ke5hf230eR)
Sophos ML Heuristic
Trapmine Malicious.high.ml.score
Webroot W32.Adware.Gen
Acronis Undetected
 
 

Fixlog.txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Staff

This is a dridex infection. We are in process of updating defs for it right now. Should be out in an hour or two at the most. The new mbam beta 4 does detect this already.

I was able to remove this manually by:

running a command prompt.

open taskmanager and kill explorer.exe

then from command prompt type

 

del C:\Users\User\AppData\Roaming\YXLbnz\*.*

 

(or whatever path is changed to now)

then in command prompt type

 

explorer.exe

 

Close command prompt.

 

Edited by shadowwar
Link to post
Share on other sites

Hello Aya,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Update Malwarebytes, run another threat scan. Post that log...

Thanls,

Kevin

 

fixlist.txt

Link to post
Share on other sites

Thank you, just noticed you`d already posted fixlog.txt. My bad, apologies.. Run another scan with FRST, make sure we caught all entries..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"


Cheers,

Kevin

Link to post
Share on other sites

FRST logs are showing clean now, no infection or remnants.... One more scan please, is very thorough but is needed to be done..

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

https://www.microsoft.com/en-gb/download/malicious-software-removal-tool-details.aspx


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....
 
Link to post
Share on other sites

If all is now ok do this to clean up:

Right click on FRST here: C:\Users\User\Desktop\worm\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Next,

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.