Jump to content

Potential infection of computer? (Random Processor Spikes from FileCoAuth)


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello, a while ago I suffered from an attack of a Neshta virus by downloading a game from Itch.io (first time encountering a virus on the page). It was blocked by Microsoft Security Essentials, I stupidly turned off MSE, thinking it was a false positive and clicked the fake game exe.

 I noticed that the program was executing in a wrong way (not like other games from the site as it appeared to unzip something) and I quickly shut down the viral process that was running, turned MSE back on, and deleted the file called AsmValue.exe (That was in its own folder in AppData Roaming) . A few of my game clients were infected along with OneDrive and Discord but I reinstalled them with fresh installers after deleting the infected exes, I ran the AVG Neshta remover which disinfected several files, I also ran a full MalwareBytes scan which detected OneDrive as being infected along with registry values and it cleaned those. After that, I was able to run several scans from Avast, Eset Online Scanner, HitmanPro, TDSS Killer, MBAR, and Kaspersky but I found no evidence of Malware on my System from the scans.

Ever since then, my computer has been running mostly fine. However the startup seems to have been a bit slower than before, and even though I have OneDrive turned off, there are sudden spikes related to FileCoAuth.exe (32 bit) in process explorer that quickly disappear before I have a chance to figure out whether it is a legit process or not. I'm sure my computer is mostly fine for the time being, but I'm still worried that my system potentially has something that wasn't picked up by the scanners. Can someone help me verify that this is the case? Attached below are the entries for FileCoAuth,  AsmValue.exe, and an exe that ran from the infected game exe

FileCoAuth screenshot.png

gtestscreenshot.png

ASMScreenshot.png

Link to post
Share on other sites

Hi,  @RisicoWolf
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me. 
  
Please only just attach   all report files, etc  that I ask for as we go along.

I see you have run a whole raft of scans on your own.  Please do not do any more by yourself.  I will guide you from here on out.

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Select a "Full scan:.      Let me know the result of this.

The log is named MSERT.log 

the log will be at  C:\Windows\debug\msert.log

Please attach that log with your reply.


 

Link to post
Share on other sites

Hi, Alex.

Let the virus scans finish and then provide ( attach ) copy of the scan-log-report.   That is the first main thing.

The tool you are using to 'monitor' may be just having a display issue.   As I know from experience in Task Manager, the refreshing ( display) on screen will shift and re-sort  & thus result in your losing sight of a process.  It is just best to submit a copy of the suspect file up to Virustotal for analysis.

But first, before you do anything, set Windows to SHOW all folders, all files, including hidden ones, or system folder locations, like Appdata.

Open Windows File Explorer.

Select View from its top menu bar > click Options on the icon at the far right-side > Change folder and search options ( from the drop down ).

  • on the next multi-tab mini-window
  • Select the View tab and, in Advanced settings,
  • select Show hidden files, folders, and drives
  • and OK.

.

[     2     ]

Can you please go to Virustotal website  ( which is a site that many security companies use to upload and check files for potential malware.  The site uses multiple search engines from several companies).
Go to the link https://www.virustotal.com/gui/home/upload


You will see Choose file button.   Click that as a first step.   You will then see a dialog grid from Windows.
On the white "File name" box  copy and plunk the full-path & file-name of the file FileCoAuth.exe 

 

After you submit the file for analysis, Save the link location of that result at VirusTotal  and relay that in your reply.

Later one, we can do some other things.   But lets stay out of Task Manager, or Process Explorer.

Link to post
Share on other sites

By the way.     If  file ( process ) FileCoAuth is in the local-user Appdata\Local folder  ( as it is in your case ) that file is for Microsoft OneDrive
That is not a malware.
Your machine is on Windows 10 though I cannot tell just which Version.  However, your file should be located at something like this
C:\Users\Alex\AppData\Local\Microsoft\OneDrive\20.201.1005.0006\FileCoAuth.exe

 

Link to post
Share on other sites

Yep, that is the file path that I got when I opened the file location of the process, also Edge sometimes pops up with "Help with File Explorer" on its own (my headset cable was close to my keyboard at the time, so I moved it away) and I just saw Chrome open up on its own (Might have been me clicking on it earlier before going out briefly, but I'm not sure). I set Hidden Files and Folders to be shown. Here is the VirusTotal scan of the exe: https://www.virustotal.com/gui/file/618c48236a2ab1bde332751ce05d666d29815399ab9a26c1dea575c08caa5506/detection and also the Safety Scanner log (it shows my machine is clean so far):

 

msert.log

Link to post
Share on other sites

Yes, the file FileCoAuth is a Microsoft file.   Definitely NOT malware.   and the Safety scanner found zero malware / zero viruses.

You mentioned at the top you had scanned with Avast, Eset Online Scanner, HitmanPro, TDSS Killer, MBAR, and Kaspersky.   That is a Lot.  That is plenty,

Thus it needs repeating, No malware here.

Its possible your machine has some Windows tasks related to OneDrive.   some periodic maintenance.   and if the machine is doing any syncing with Onedrive that would be it reflected in what you had seen.

Look at this thread at the Microsoft Answers website
https://answers.microsoft.com/en-us/windows/forum/all/onedrive-version-173651708091-keeps-spawning/ebed9e77-72a8-4ba2-8d7b-21916274aa39

Expand all replies and then look at replies by
A. User  &
Robu

The gist is that the OneDrive sync app is involved.
and or  if you sync some things ( like music or multi-media ) on OneDrive.   

 

 

Link to post
Share on other sites

Alright, thanks for confirming with me that the machine is clean, I guess the fact that my machine runs on an HDD may account for the slower performance. Also I don't have any music or files that I sync on OneDrive, but I assume some other app utilizes OneDrive sync for some reason. Nothing appears to be in services besides the usual game clients and Nvidia services and Startup is clean as well. I wasn't sure about the Neshta Infection but from what I understand, it only affects infected exes correct? If so, then there's nothing to worry about on my side.

Link to post
Share on other sites

Hi Alex.   As to the scan history from Microsoft Defender Antivirus,  from 2 November, first it should be noted that screen grabs are the worst method for purpose of review & analysis.  It is always best to get them on a actual report file.
But it should be noted that there were these bottom line conclusions that can be made.
1. A set of registry entries for some Class IDs were flagged and removed on November 2.  Class ID's do not have a file payload & these entries did not ( cannot) 'run' anything.  Thus not a physical threat.
2. Two files were flagged and removed on November 2 at 2:21  PM &  2:22 PM
3.  So if there have been no further files flagged that have not been dealt with,  then one can feel confident that the situation is good.

As far as Win32/Neshta.A  see the MS Security Intelligence has to say  https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:Win32/Neshta.A

Granted it is not a lot.  However, it does tell us that Defender will remove it.
.
What I would urge you to do is two things.
1.  Do a new manual scan, a Full scan, with the Microsoft Defender Antivirus.
From the Windows Start menu, click Settings ( gear icon)  and then to Update & Security.
Click Windows Security on the left.
Click Virus & Threat protection.
A.  Scroll down and click on Check for Update  ( to check for the latest Microsoft Antivirus  intelligence updates.
B. Scroll back up  ( return back to Virus & Threat protection)  and now Click on "Scan Options"
C. Pick "Full Scan"
D. Have lots of patience.  Let that proceed till it finishes.  When done, jot down what the result is.
.
The next task is to run a diagnostic readout report, the Farbar F R S T  report-tool  & attach 2 files on your next reply so that I can review. My main goal will be to see what it shows for the Defender Antivirus events for today and the day before  ( if any )

See how to get & run Farbar FRST at this pinned topic  https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/?tab=comments#comment-46166

 

Link to post
Share on other sites

Thanks for the FRST reports.  The result from Microsoft Defender is excellent.  This system is on Windows version 20H2  (build 19042.630 ).  As noted before, the Defender antivirus is a very capable one.  

Let me suggest that you run the System File Checker app, just to do an integrity check of this Windows' system files.

This procedure will use the Windows System File Checker tool  ( SFC ).

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

sfc /scannow

and press Enter.   Jot down & let me know what the bottom line result is.

Link to post
Share on other sites

That is very good to have that result.   Thanks again for the FRST reports. There is no malware here. However I did notice a couple of minor traces of Avast / AVG antivirus Shell overlay ID's.
The following custom script is intended to remove those, plus to run the Windows DISM tool to recheck this Windows.
It should not take a lot of time to do.  

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

The system will be rebooted after the script has run.

Save the attached file FIXLIST.txt  to the DESKTOP.   Save it as-is.

.

This custom script is for RisicoWolf  only / for this machine only.

 
Close and save any open work files before starting this procedure.    If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Start the Windows Explorer and then, to the Desktop.


RIGHT click on  FRST64   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing. 

Fixlist.txt

Link to post
Share on other sites

There is nothing else I can think of that I need at the moment. I do have a question though:

After disinfecting a virus and it’s files, are there any changes it could make to a system that can phone back or would those be detected as malware modifications and be dealt accordingly? I’ve been pretty worried about this, but from what you have said, I believe my computer is fine for now.

Thank you again for cleaning up the leftover files! :) I’ll be awaiting your instructions.

Link to post
Share on other sites
  • Solution

Hi Alex. There is no basis for assuming any residual 'phone home' leftover. The Windows System File Checker found no issue.  Also, the Windows DISM tool checked the integrity of the Windows system and found no issue.  Further to that, the Full scan with Microsoft Defender found no virus, no malware.  I recall, furthermore, that you had run 6 different security tool scans before all that.   The integrity of the Windows installation is not in question.

 

Cleaning up on the tools I had you use before:

To remove the FRST64  tool & its work files, do this.  Go to your Desktop folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Delete msert.exe.

Any other download file I had you save, you may delete.

I do wish you all the best.    😎

Sincerely.

Maurice

 

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.