Trojan Dropper InstallShield Installation Information

[Rusty24]

Hate to be a problem, but I just today did a full scan on my laptop and it found a trojan dropper under the file C:\Program Files (x86)\InstallShield Installation Information\{C65B26BC-5A6F-4135-9678-55A877655471}.

The scan hasn't full finished yet and I am going to quarantine the files and send the scan files here.

Can I get advice and assistance with this? I am trying to figure out how exactly I got this trojan dropper given how careful I have been trying to be with this machine.

[Rusty24]

Okay, here is the file 

Alright, what is the next move and how exactly did it get onto my machine?

Malware scan 2.txt

[Rusty24]

Here are the FRST files 

FRST.txt Addition.txt

[Rusty24]

I am looking up what the file is online, and it seems related to MSI dragon center, which is odd since I downloaded that from the company's official website a while ago and it seems like some anti-virus from mcafee to Bitdefender seem to treat it as a trojan but whenever I look up the file name and location online it just seems to be MSI Dragon Center and maybe its uninstall function or something.

Is it just a false positive or did MSI product get malware injected into it without them knowing, or something else entirely?

[Maurice Naggar]

Hi, Rusty24.

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

You had made 4 back to back posts  which made your help-request hard to spot.   We typically look for zero replies on a case as the means to spot new un-replied-to cases.

 

Please only just attach   all report files, etc  that I ask for as we go along.

.

Thanks for the reports.

One question to you:  Does this pc have Bitdefender Antispyware installed at this time ?

.

Please do all of what follows.   Keep going down the list.

Windows Controlled Folder Access needs to be set to OFF.   It is interfering with the MBAM link on the Desktop.

Select Start  ( from Windows Start menu)  >> click Settings  > Update & Security  > Windows Security > Virus & threat protection.
Under Virus & threat protection settings, select Manage settings.
Under Controlled folder access, select Manage Controlled folder access.
Switch the Controlled folder access setting to OFF .

.

[   2   ]

 

There are several Windows Task jobs with "no file".  What follows below is a cleanup to get rid of those.

 

This custom script is for Rusty24  only.

Close and save any open work files before starting this procedure.  I am sending a  custom fix script to do some cleanups.  

 

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) to the Downloads  folder

The tool named FRST64.exe   tool    is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRST64

  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

on the FRST window:
Click the Fix button just once, and wait.

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity

 

[   2   ]

Also do this as well.

Let’s start by doing a new thorough scan with Malwarebytes for Windows.   The goal is to see whether there is an infection or P U P.

 

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

 

 

Then you can proceed to click on the blue button Quarantine selected.

In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

 

Fixlist.txt

[Rusty24]

No, there is no bitdefender anti-spyware, or at least I have tried to uninstall it but I guess it is still sticking around somehow.

[Rusty24]

Here is the fixlog 

Fixlog.txt

[Rusty24]

With the malwarebtyes scan, will I tick both the C and D drives to be scanned or just the C drive?

I have the controlled access off but I don't have the setting for automatic quarantine due to just having the free version of Malwarebtyes. However, the other sections are as you recommended. 

[Maurice Naggar]

We want just a regular Threat scan with all the tips I listed.    ( if you want later on.....you can do your own scan  ( custom scan for the D drive ) ....if you want.

For now, do like I suggested, please

[Rusty24]

Okay, here is the scan results you recommended.

Is that okay?

Malware scan 3.txt

[Maurice Naggar]

Thanks for the report.  Yes, that is excellent result.

Objects Scanned: 319104
Threats Detected: 0
Threats Quarantined: 0

 

If you want to scan your D drive, you need to select a Custom scan.

Open Malwarebytes

 

Next, click the icon button at left marked SCAN

 

Then, from the 3 panel choices, click on the middle one marked CUSTOM

( IF you see a summary white screen with a green check, click on the Close X spot on the right side so you get to that out of the way & then click Scan button on the left & then Custom scan on the middle selected .)

 

 

Then click on Configure Scan button

 

be sure the Scan for rootkit on left is ticked

 

Be sure to click on the box marked D on the right.

 

NOTE:  Depending on how many files there are & also depending on speed of hardware, a Custom scan may take several hours.

[Rusty24]

Alright then, I will scan D, although it will require fully scanning both drives when you want rootkit scans as well. Which will probably take two hours. 

 

[Maurice Naggar]

A custom scan allows you to pick whichever  drive you want.  That is to say, you can pick one drive only, if you want.

Keep the drive you dont want scanned un-ticked.

Just tick the drive you want to scan.

[Rusty24]

Okay, the scan is being done but sadly not matter what I tried I couldn't just get the custom scanner to just scan the D drive with the rootkit option on, it wants both drives scanned.

Sorry for that.

Thankfully, it does seem to be working faster than what I am use to. I will post the scan report when it is done.

BTW, may I ask how is it possible for the MSI Dragon Center uninstaller function (I checked and it seemed to be the feature removed when that threat file was put into quarantine) was a trojan dropper? It was titled as a setup.exe but I am puzzled as to how a file that seems to be for uninstalling or something like that be used as a trojan. 

 

[Rusty24]

Here is the scan report 

Malware scan 4.txt

[Maurice Naggar]

What had been removed before was one EXE file , named SETUP.exe

C:\PROGRAM FILES (X86)\INSTALLSHIELD INSTALLATION INFORMATION\{C65B26BC-5A6F-4135-9678-55A877655471}\SETUP.EXE

along with 1 registry entry related to it.

Regretfully, I cannot say what content that file contained.  I also cannot know how that got installed on your PC.

Perhaps you can recall what you installed recently.

 

IF you feel you actually need this fie & you feel it is safe, it can be restored from Quarantine,  then set as a exclusion, & a copy of  it can be uploaded to an analysis center.

 

The last scan report is all good.

[Rusty24]

I can not say for sure since the only thing I can find on it is that it is part of MSI dragon center file and seems to relate to uninstalling it (app as it is seems to work just fine), I downloaded a update from the manufacturer's website a month ago but it is only recent that uploading the file for this to total virus had half of the anti-virus and malware flag that one set-up as bad when it was fine ages ago

https://www.virustotal.com/gui/file/1b948a4297783a028ce5fb4a8a0d25e5ebfd576d4ce2fde7fec18700b536eb48/detection

It probably helped that I had the manage control file protection on. Although I did have Zemana catch and delete some files off Ublock origin for chrome before all this but I can't say if that is related to the Dragon Center files. At the same time, I got the official ublock origins and scans of downloaded files of the dragon center (been very careful at looking at those files and not activating them) doesn't seem to set off any red flags to anything. And I haven't find many reddits or reports of this being flagged as malware yet.

Has left me pretty stumped how to avoid this problem happening again since I've been so careful (I do know that there is sadly the new problem of malware creators managing to get their programs into supply chains of official programs, not sure if this is the case or not I am not too great at understanding what goes on underneath the hood of tech).

 

 

[Maurice Naggar]

I appreciate that you relayed the link to the VirusTotal scan report.  There are a very large number of scanners identifying the file as a trojan.

Lets keep the file in the Quarantine.

Let's do a new scan, with ESET.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

[Rusty24]

Okay, here is the scan report 

I am hoping it wasn't anything important to Dragon center but it seems like the program is working just fine and hasn't damaged say how it controls the power usage or fans.

I am somewhat baffled at how much this related to dragon center since it find I think issues with a downloaded file of that same program in the recycle bin. Like I have had my system scanned by hitmanpro, malwarebtyes, zemana, sphos virus removal tool, Windows defender, and somehow they missed those. 

Like I may or may not be surprised if MSI didn't care enough to check if something was wrong with their recent dragon center update, like there is one driver update that they didn't either leave instructions of how to install or simply no installer at all for the laptop build I have. Like I am still trying to figure out what those files did but I assume those zip files might be the ones in the download section, I am not sure, like what does C:\Users\luked\AppData\Local\Temp\ keep exactly there?

 ESET Scan.txt

[Maurice Naggar]

Thank you for the ESET scan report.  That run was well worth doing.  It tagged & deleted several "setup  EXE"  files.

 

The folder C:\Users\luked\AppData\Local\Temp  is one of the Temporary folder areas.

 

Let me suggest one other scan for this system.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Let me know the result of this.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

[Rusty24]

Full or quick scan option with the Microsoft safety scanner?

[Rusty24]

Alright, here is the scan report 

msert.log

[Maurice Naggar]

Thank you for the MS Safety Scanner log.   That run found no viruses / no malware.

Results Summary:
----------------
No infection found.
Microsoft Safety Scanner Finished On Mon Nov 04 22:40:52 2019

 

IF you wish to, you could do a new run & pick Full scan.   Kindly let me know if you need other help.

[Rusty24]

Well that was a full scan one, but I could try again but I am guessing it wouldn't make much of a difference.

And thank you for the help so far, it is much appreciated.

I do have to ask though if there is any way possible to avoid something like this happen in future again or is it just something that is just unavoidable even if you have say a sandbox program or paid anti-malware program?

 

[Maurice Naggar]

One full scan is enough.   You are quite welcome.  I am glad to help.

How to better protect.

IF you do not now have Premium Malwarebytes for Windows, get a Premium license.   If you also have Android device(s), and / or Chromebook and /or also Mac OS X, get a Premium license with a seat for each one.

 

Backup your systems.  Backup is your best friend. Do a periodic backup on offline storage media.

Keep up to date with Microsoft Windows Update.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

IF this pc has Chrome:

I suggest you install the Malwarebytes Browser guard on to Chrome browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

IF this pc has FIREFOX:

To get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

Cleanup of tools:

You should delete the Fixlist.txt  I had you save.   Delete the Fixlog.txt

You may delete the tools I had you download.

 

Let me know if you need anything else.

Edited November 5, 2019 by Maurice Naggar